SQLi is /so/ Last ShmooCon
Falcon Darkstar Momot
ShmooCon XX (Final) · Day 2 · Belay It
In "SQLi is /so/ Last ShmooCon," Falcon Darkstar Momot, a Product Security Manager at a database company, challenges the persistent prevalence of SQL injection vulnerabilities and proposes a fundamental shift in how applications interact with databases. The talk argues that the traditional model of sending raw, programmable SQL statements from application servers to highly privileged database users is inherently insecure and outdated. Momot advocates for an architectural pattern that re-imagines the database itself as a secure, well-defined **API**, leveraging advanced PostgreSQL features to enforce granular access control and significantly reduce the attack surface.
AI review
This talk, despite its somewhat provocative title, delivers a genuinely strong and actionable approach to mitigating SQL injection beyond the usual advice. Momot presents a robust architectural pattern that leverages PostgreSQL's built-in security features—such as `SECURITY DEFINER` functions, granular role-based access control, and `PG JWT`—to treat the database as a self-enforcing API. This strategy significantly reduces the attack surface by confining application users to predefined, secure interactions with data, moving the defense deeper into the data layer.