Acra on DigitalOcean Marketplace
We always strive to make high-end security tools available to general developer audience in a convenient fashion. Only by making data security accessible, we can ensure real security of sensitive data everywhere. As another step towards our mission, we are proud to announce that Acra encryption suite is now available as 1-Click App running in a Droplet on DigitalOcean Marketplace . DigitalOcean is known for its caring attitude towards development teams of any size.
Defense in depth security strategy based on data encryption
Intro # Any set of security controls deployed in your infrastructure may fail. Given enough pressure, some controls will certainly fail. No surprises here, but the question is – how to build our systems to make security incidents less damaging in case of a failure of some components? How to prevent data leaks even in case of a successful data breach? Building security tools , we strive towards defense in depth approach.
New Themis 0.11.1
New Themis is greatly improved and sparkly with additions. We are proud to introduce Rust-Themis – full support of Themis for Rust. Rust-Themis works with all four crypto-systems: Secure Cell for storing data securely, Secure Message for encrypting and signing envelopes, Secure Session for encrypting session communications and Secure Comparator for zero-knowledge authentication. All Rust-Themis components can be installed from crates.io . Jump to the Rust How-To guide to learn more.
ACRA 0.85.0 LOOKING GLASS
New Acra 0.85.0 brings the expanded functionality we’ve announced during the release of Acra 0.84.0. We’ve added server-side encryption mode which allows integrating Acra without altering the client application code. It’s called AcraServer’s Transparent proxy mode and allows you to configure AcraServer to parse SQL queries and to encrypt values designated for specific database columns. Transparent encryption mode is useful for large distributed applications where updating the source code of each client app separately would be complicated.
How to build an SQL Firewall
Building AcraCensor transparent SQL firewall There are two main ways to mitigate SQL injections: inside the app (using prepared statements, stored procedures, escaping) and outside the app (using Web Application Firewalls or SQL firewalls). WAFs analyse web and HTML traffic using rule sets based on regexs and are good for covering the known vulnerabilities. SQL firewalls sit closer to the database, analyse SQL statements for potentially malicious content, which makes them more flexible in SQL injections prevention.
How to prevent SQL injections when WAF’s not enough
Can WAF prevent SQL injection? What is the biggest threat to a tool that prevents unauthorised database access? Requests from the application side that trigger data leakage. Namely, SQL injections and other application attacks that allow attackers to craft custom SQL queries. How can we prevent that? The standard industry response is obvious — input sanitization, web application firewalls (WAFs), and prepared statements are typically used for addressing these concerns.
Blockchain & GDPR: dos and don’ts while achieving compliance
On blockchain and GDPR As cryptographers who develop data security tools that heavily involve cryptography (surprise surprise), we get asked a lot of questions about “crypto”. Unfortunately, not “cryptozoology”* crypto, but neither it is cryptography. Very often it is about blockchain. More and more tools claim to have “unprecedented levels of security” or “GDPR compliance & security by design” when using security designs based on blockchain and distributed consensus systems.
Looking Back at 2018 — A Year in Retrospect
2018 was as exciting as it was busy — 7 new versions of Acra Open Source accompanied by Acra Live Demo and Acra Engineering Demo, launch of DGAP security consulting and security training services, over a dozen articles in the blog and Medium, a whole new Documentation Server, talks at conferences all over the world, and many more interesting events. Stats According to our GitHub statistics, 2018 resulted in:
Thank You for Contributing and Using Themis in 2018
We believe that everyone should be able to create secure applications and protect users’ privacy. That’s why our main cryptographic components are open source and developer-friendly. But open-source would be nothing without external contributions and feedback from users. We would like to publicly celebrate our open-source contributors and users who challenged us to make our open-source offerings more robust by asking hard questions, pointing out usability problems and potential usage patterns we were not aware of before.
Hiring External Security Team: What You Need to Know
In our company, we’ve succeeded in clearly articulating the deliverables of our products and consulting projects. Building a network of great partners and delegating the work out of range of our primary competencies to them helps both parties concentrate on what’s we’re best at. However, there are a lot of challenges in building distributing the work between different types of security specialists. Larger part of the market is still struggling to show a viable differentiation for the customer looking to mitigate various infosec-related risks.