| From: | David Kerr <dmk(at)mr-paradox(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story) |
| Date: | 2010-02-05 19:53:32 |
| Message-ID: | 4B6C773C.8000004@mr-paradox.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Howdy all,
We're using Postgres 8.3 with all of our apps connecting to the database
with Hibernate / JPA.
Our security team is concerned about SQL Injection attacks, and would
like to implement some mod_security rules to protect against it.
From what I've read Postgres vanilla is pretty robust when it comes to
dealing with SQL Injection attacks, and when you put an abstraction
layer like Hibernate on top of it, you're basically rock solid against them.
Does anyone have experience here? One of our security people found a
generic mod_security config file that had a couple of postgres entries
in it. Is there a full Postgres config for mod_security that the
community recommends?
Can anyone give me a good pros or cons of using mod_security when you
have Postgres + Hibernate?
At this stage in our project I'm trying to avoid making decisions based
on statements like "PostgreSQL is 100% secure" or "More security can't
hurt" any change like this impacts our delivery schedule, if we are
going to do it we need to understand why and what benefits it brings.
Thanks
Dave
| From | Date | Subject | |
|---|---|---|---|
| Next Message | John R Pierce | 2010-02-05 20:09:57 | Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story) |
| Previous Message | Mike Ginsburg | 2010-02-05 18:08:51 | Re: Verify a record has a column in a plpgsql trigger |