Die With MongoDB
February 21, 2017
"So which DBMS do you like Watson ? SQL or No SQL ?"
"I love MongoDB, Holmes."
"I guessed so !"
"You have suicidal tendencies."
- The Adventures of Blind Lover
Every now and then we hear about how vulnerable MongoDB is, and how Moriarty's men are watching out and asking for ransom. Does that put you away from Mongo ? If yes, then you are missing something.
I love Mongo. It is more like love at first sight. Installation to Hello World is a breeze. It is the simplicity of MongoDB that strikes you. Find your match on Friday, and off to Honeymoon on Saturday. No complex temple rituals, parents' permission not needed. This is fantastic. You can insert something in the database without even having anything to insert in the first place. Crazy! No need to define a schema. Every document can have a different structure. A query on a non existing field does not break anything. The speed is with the developer, they love it. Do I even need a DBA? you think. And then, you get that email showing how Prof. Moriarty broke into Bank Of England's database.
Default 'instantiation' of Mongo is absolutely not secured. No kidding. You don't have a default username and default password to connect to a database. No security ! When I first saw it, I liked it. Start coding, it is ready. This is opposed to starting with a very tight security, and then worry about it nevertheless. But are you ready to deploy?
MongoDB has published a Security Checklist to guide you on security. I don't think you need to be a security expert to 'check' many of them. You can of course, harden it further. The Enterprise version comes with even more security features like Encryption at Rest. MongoDB University has come up with a special course on Security. Does this all save you from code injection attacks ? Perhaps not. You still have some work to do in your application layer.
My advice- MongoDB is awesome. Don't shy away fearing security. Well, you may want to die for your love.