Stampery's CTO and Mongoaudit project lead here! Our reasons to launch this product:
Companies of all sizes use MongoDB, Stampery included. Why? It’s schema-less, fast, scalable. We all love its deep query-ability.
But it’s no secret that MongoDB pays more attention to scalability, performance and ease of use than to security. There are quite a few holes in its default configuration settings.
This, combined with lazy admins and devs led to what the press has dubbed the MongoDB apocalypse. More than 25,000 MongoDB instances were targeted by hackers. Information was encrypted and money was asked for the decryption keys. In some cases information was wiped with no way to recover it.
Mongoaudit tackles this problem and more. It not only detects misconfigurations, known vulnerabilities and bugs. It also gives advice on how to fix problems and recommends best security practices.
Among other tests, it checks if:
+ MongoDB listens on a port different to default one
+ MongoDB HTTP status interface is disabled
+ TLS/SSL encryption is enabled
+ Authentication is enabled
+ SCRAM-SHA-1 authentication method is enabled
+ Server-side Javascript is forbidden
+ Roles granted to the user only permit CRUD operations
+ The user has permissions over a single database
+ The server is vulnerable to a dozen of different known security bugs
Once the tests are run Mongoaudit can either display a basic report on screen or send a detailed one via email. This personalized report links to a series of guides on how to fix every specific issue and how to harden the targeted MongoDB deployment.
We have also published the Mongoaudit guides in our Medium publications— be sure to check them:
https://medium.com/mongoaudit
Companies of all sizes use MongoDB, Stampery included. Why? It’s schema-less, fast, scalable. We all love its deep query-ability.
But it’s no secret that MongoDB pays more attention to scalability, performance and ease of use than to security. There are quite a few holes in its default configuration settings.
This, combined with lazy admins and devs led to what the press has dubbed the MongoDB apocalypse. More than 25,000 MongoDB instances were targeted by hackers. Information was encrypted and money was asked for the decryption keys. In some cases information was wiped with no way to recover it.
Mongoaudit tackles this problem and more. It not only detects misconfigurations, known vulnerabilities and bugs. It also gives advice on how to fix problems and recommends best security practices.
Among other tests, it checks if: + MongoDB listens on a port different to default one + MongoDB HTTP status interface is disabled + TLS/SSL encryption is enabled + Authentication is enabled + SCRAM-SHA-1 authentication method is enabled + Server-side Javascript is forbidden + Roles granted to the user only permit CRUD operations + The user has permissions over a single database + The server is vulnerable to a dozen of different known security bugs
Once the tests are run Mongoaudit can either display a basic report on screen or send a detailed one via email. This personalized report links to a series of guides on how to fix every specific issue and how to harden the targeted MongoDB deployment.
We have also published the Mongoaudit guides in our Medium publications— be sure to check them: https://medium.com/mongoaudit
Feedback is more than welcome!!!