AppSec Europe 2016 has ended
Back To Schedule
Friday, July 1 • 15:00 - 15:45
Big problems with big data - Hadoop interfaces security

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Did "cloud computing" and "big data" buzzwords bring new challenges for security testers? 
In this presentation I would like to show that penetration testing of Hadoop installation does not really differ much from any other application. Apart from complexity of the installation and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security, encryption at rest, obsolete libraries bugs and least privilege principle. 
We tested popular Hadoop environments and found few critical vulnerabilities, which for sure cast a shadow on big data security. So as not to stop with CVE shooting, we would like to show you our approach of testing big data installations and few ideas of how to keep them secure. 

- big data installations architecture 
- attack vectors and surfaces 
- least privilege principle in popular Hadoop environments 
- more detailed attack vectors and possible risks: obsolete packages in popular Hadoop environments, vulnerabilities in web interfaces 
- more focus on administrative interfaces (Ranger, Ambari, Hue) 
- problems with user interfaces (e.g. Hue) 
- hints for pentesting Hadoop installations 
- hints for securing Hadoop installations

avatar for Jakub Kaluzny

Jakub Kaluzny

Sr. IT Security Consultant, SecuRing
Jakub is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many internetional conferences: BlackHat Asia, OWASP AppSec EU, PHdays, HackInTheBox, ZeroNights as well at local security events... Read More →

Friday July 1, 2016 15:00 - 15:45 CEST
Room C (Tiziano Ballroom Sec. 2)