Environment variables are the means by which the Cloud Foundry runtime communicates to the application about its environment. One of the most important pieces of information it communicates are the services which are available and how to connect with them.
The same page gives a sample of environment variables containing connection parameters like user-name password for MySQL database.
VCAP_SERVICES: {
"mongodb-1.8":[{"name":"hello-mongo","label":"mongodb-1.8","plan":"free","credentials":{"hostname":"172.30.48.64","port":25003,"username":"e4f2c402-1153-4dfb-8d98-2f6efc65e441","password":"f17f81e4-9855-4b9c-a22b-e6a9e6f113c3","name":"mongodb-5751dac0-3b5e-405b-a1e1-2b384fe4026d","db":"db"}}],
"redis-2.2":[{"name":"hello-redis","label":"redis-2.2","plan":"free","credentials":{"node_id":"redis_node_4","hostname":"172.30.48.43","port":5002,"password":"e1d7acb0-2baf-42be-84bc-3365aa819586","name":"redis-96836b7c-0949-45fd-a741-c7be5951d52f"}}],
"mysql-5.1":[{"name":"hello-mysql","label":"mysql-5.1","plan":"free","credentials":{"node_id":"mysql_node_5","hostname":"172.30.48.24","port":3306,"password":"pw4EKJqL6na6f","name":"dd9b58515e3cb41958a30bf2af88126fc","user":"uLfJbOmxfSEUt"}}]
}
The page further states:
You can read this information into your application using Java's environment variable API and/or existing Spring XML features but it is easer to consume this information using the new cloud namespace (described here) which parses it out into a convenient Properties object.
Reading this I wondered what implications this setup have for application security. Specifically what measures should the developer take to keep malicious attackers from gaining direct control of backend services like mysql database?
EDIT: Apart from the risk of attacker gaining control of backend service, I also can imagine the risk of attacker causing the application to connect to a malicious backend.
