Product engineering

How SQL firewalls can help to protect databases from SQL injections: the main difference from web application firewalls (WAFs), common usage scenarios, pros, and cons. We implemented SQL firewall as part of data encryption proxy Acra, and we will share insights about security and development decisions. Expect a story about parsing SQL protocols, matching rules, hidden dangers of logging, best of configuration and usage patterns.

The search over encrypted data is the modern cryptographic engineering problem. We will talk about existing approaches (both well-known and modern), and concentrate on practical solution based on blind index technique to search data in databases. What’s inside: cryptographic and functional schemes, implementation details, practical security evaluation (risk modelling and potential attacks). We will show how theoretical models turn into real, usable, maintainable, security tools. Search over encrypted records is part of Acra encryption proxy.

Dmytro Shapovalov, our senior infrastructure engineer, talks about improving the infrastructure for developing, testing, and delivering security tools. Our experience of smoothing the difference between security idealism and engineering friendliness.

This is a story of going over the typical security challenges: how to build products that reliably deliver security guarantees, how to avoid the typical pitfalls, and how to create tools that could be usable and predictable for real users. It’s a tale of balancing religious adherence to security practices while keeping the customers’ needs in mind all the time, inside the development team; a story of listening to the customers and observing the actual user behaviour outside in the wild, and trying to make the best decisions when it comes to empowering the customers with easy tools for encrypting data in their apps, securely and without pain. Presented for senior software engineers at QConNYC.