From Dev to Prod: Securing Postgres the Right Way | POSETTE: An Event for Postgres 2026

by Sakshi Nasha

Sakshi Nasha shares practical guidance for hardening PostgreSQL deployments from development through production, focusing on common security blind spots and concrete techniques teams can apply without slowing delivery.

Overview

Common PostgreSQL security blind spots

The talk focuses on security issues that often slip through when teams rely on defaults until an incident occurs, and how to make security a deliberate part of database design.

SQL injection case study

Nasha breaks down a SQL injection case study to show how application-layer issues can translate into database compromise, and why database permissions and isolation still matter even when application defenses exist.

Least privilege and role boundaries

Key practices covered include:

Schema isolation for safer deployments

The session discusses schema isolation as a way to reduce accidental access and limit the impact of compromised credentials or misconfigurations.

search_path as a security risk

Nasha highlights how PostgreSQL's search_path can become a security issue if not controlled, especially in environments with multiple schemas and mixed trust boundaries.

Risks with SECURITY DEFINER functions

The talk covers how SECURITY DEFINER functions can be exploited when used incorrectly, and why function ownership and execution context need careful review.

Protecting data in transit and at rest

The session includes practical guidance for:

Postgres 17 and 18 security and observability enhancements

Nasha calls out newer PostgreSQL enhancements around security and observability in Postgres 17 and 18.

Final checklist and takeaways

The talk closes with a security checklist intended to help teams turn security into a repeatable habit across development and production.