Last week, security firm Appthority published a report titled HospitalGown: The Backend Exposure Putting Enterprise Data at Risk, which highlighted newly-discovered vulnerabilities between mobile apps and insecure backend databases containing enterprise data. The vulnerability is caused not by code in the app, but by the application developers’ failure to properly secure the backend servers with firewalls and authentication.
Appthority cited a number of exposures on multiple backend platforms, with an early iteration of the report mentioning Couchbase. However, after subsequent review, researchers realized the inadvertent inclusion and offered the following statement to Couchbase:
While our research team did analyze Couchbase servers found in the wild, we found that they all required authentication…Couchbase was listed inaccurately when a CouchDB hosting provider was meant instead.
This is the same authentication my colleague Wayne Carter wrote about in a previous blog titled Addressing decentralized data security concerns with Couchbase Mobile
Security is a forethought for Couchbase — something we’ve built-in at the outset vs. tacked on as an afterthought. Building it in this way also helps take the onus off of the developer.
On the authentication side, we support pluggable authentication including out-of-the-box support for popular public login providers like Facebook and standard OpenID Connect (OIDC) providers. In addition, developers can write their own custom provider. Developers can also restrict access to the system to successfully authenticated users or optionally allow anonymous users.
But wait, there’s more.
As Wayne wrote previously, there’s an expectation that apps should always work – with and without an internet connection. Delivering on this expectation requires access and storage of decentralized data directly on a device. Managing decentralized data introduces a number of security risks that are critical to manage, which is what the Appthority researchers discovered. In addition to user authentication, there are four other key security concerns when working with data storage and transport:
- Data Read/Write Access
- Data Transport on the Wire
- Data Storage on Device
- Data Storage in the Cloud
Couchbase Mobile resolves each of these concerns.
- For Data Read/Write Access there are fine-grained policy tools that allow controlling data access for individual users and roles. Read-side permissions are at the document level and write-side permissions are down to the field level.
- Data Transport on the Wire, for data in motion, is over TLS.
- Data Storage on Device, for data at rest on device, uses the device’s built-in File System Encryption and 256-bit AES full database encryption.
- Data Storage in the Cloud, for data at rest in the cloud, you can configure Couchbase Server to use File System Encryption.
Couchbase Mobile allows you to easily manage your data throughout the full network and application stack. This includes storage, access, synchronization, and security in the cloud, on phones, on and tablets, on the web, on your TV, in your car, and everywhere else.
Where security is a euphemistic zipper, we are covering our customers’ backs.