SQL Injection Is Boring-Advanced Threats You’re Not Watching
Friday, June 26 at 09:00–09:50
-
Domenico is a Senior Database Specialist Solutions Architect at AWS. In his role, Domenico works with customers in the EMEA region to provide guidance and technical assistance on database projects, helping them improve the value of their solutions when using or migrating to AWS, designing scalable, secure, performant, sustainable, cost-effective, and robust database architectures in the AWS Cloud.
-
I am working with Amazon Web Services as a Senior Database Migration Specialist from last 4 years and hold total 14 years of experience. I specialise in guiding organizations through complex modernization journeys. With extensive experience leading mission-critical migrations, I help teams navigate challenges from legacy systems to modern cloud platforms. My passion lies in developing practical solutions for near zero-downtime migrations and risk mitigation strategies. I have Engineering experience as well including Ora2PG, MSSQL2PG and Ora2MSSQL (legacy application) migrations. I have been a CIO for Aviva UK Life in 2017.
Everyone knows how to prevent basic SQL injection but modern attackers have moved far beyond textbook exploits. In high-traffic PostgreSQL deployments, subtle misconfigurations and overlooked features can open doors to far more sophisticated attacks.
This talk uncovers the next generation of database threats that rarely make it into security checklists. We’ll examine:
- Privilege Escalation via Extensions and Foreign Data Wrappers - how seemingly harmless extensions or FDWs can leak credentials or access external systems.
- Timing and Side-Channel Attacks – extracting secrets by measuring query latency and caching behavior.
- Abusing Logical Replication and LISTEN/NOTIFY – stealthy data exfiltration channels hidden in plain sight.
- Role Inheritance & Row-Level Security Pitfalls – ways attackers exploit complex permission hierarchies.
Attendees will learn how to recognize these attack surfaces, configure PostgreSQL securely, and implement defense-in-depth strategies such as strict role design, immutable infrastructure, and continuous auditing.
