23 Mar 2021
"Cloud is secure"–is a mistaken belief: deploying an app to a cloud sounds like "risk outsourcing", while in reality, it's more like "risk sharing". In this article, we observe the security responsibility of cloud providers: where it ends, what are the gaps and grey areas, and what risks security teams should take into account when using "as a service" platforms.
22 Oct 2020
In this article, we shed light on React Native apps’ security based on our experience and explain some risks, and threats developers should address to prevent typical mistakes.
14 Sep 2020
We cover cryptographically signed audit logging, when logs are generated in a certain way which prevents tampering messages, removing, adding or changing the order of log entries. We explain why signed logs are essential for security software, how we’ve built-in secure audit logging in Acra, and how to use it together with other defense in-depth layers in your systems.
9 Jul 2020
Themis 0.13.0 release: introducing new “encrypt-with-passphrase” API, new API for generating symmetric keys, support for Kotlin for Android, and updated Themis knowledge base.
10 Jun 2020
OpenSSL complexity starts with its version string. Apple, Carthage, and some dependency analysis tools have different opinions about it. Here is how we dealt with them and submitted iOS app to the App Store.
10 Jun 2020
This story is dedicated to fellow developers struggling with updating Carthage package with the latest OpenSSL for iOS and macOS apps. Here you will find the scripts, error messages, testing matrix, and our working solution for Themis to this no small feat. We believe it could save you time then you meet the same task.
2 Apr 2020
What data is sensitive and needs to be encrypted according to the modern data privacy regulations like GDPR, CCPA, HIPAA, FFIEC, etc.? This is a cheat sheet and an explanation of how we approach answering these questions.
20 Nov 2019
When moving to cloud, your threat model changes. Learn how to reallocate your security efforts effectively.
28 Oct 2019
Don't be afraid of security incidents, prepare to them in advance. Choose the scenario that suits your company and fits your budget.
27 Sep 2019
Themis 0.12.0 release: full support for WebAssembly/Electron applications plus an experimental installation for Windows!
5 Sep 2019
How we helped the Bear note taking app for iOS/macOS, which decided to implement note encryption for their huge existing user base. A story about finding a balance between usability, security, and mobile platforms' restrictions.
23 Jul 2019
What is searchable encryption and what are the tools that allow performing secure search over encrypted data. A brief overview.
7 May 2019
Step-by-step installation and configuration tutorial.
16 Apr 2019
Acra encryption suite is now available as 1-Click App running in a Droplet on DigitalOcean Marketplace.
4 Apr 2019
How to protect the data in your app infrastructure using the defence in depth approach, explained on the example of Acra encryption suite.
2 Apr 2019
Meet numerous improvements, addition of Rust-Themis wrapper, and expansion of code distribution options in the new version of Themis encryption library.
15 Mar 2019
Introducing more flexible configuration for AcraCensor and server-side encryption mode for AcraServer. Secure search over encrypted data available for Acra Enterprise now!
5 Mar 2019
Preventing SQL injections is troublesome: WAF is easy to bypass and a good SQL firewall is hard to find. We ended up building our own open source SQL firewall.This is how we did it.
13 Feb 2019
Using SQL firewall to protect database against SQL injections at scale as compared to WAF.
22 Jan 2019
Blockchain solves several technical challenges. Sadly, while it can be helpful, using it won't make your product automatically secure or GDPR-complaint.
31 Dec 2018
Seven releases of Acra, Customer Success Program and security training services, a whole new Docserver, conference talks all over the world, and much more.
20 Dec 2018
We are extremely grateful to our open-source contributors and for the feedback from select users and want to recognize and celebrate their input in 2018!
27 Nov 2018
Contrary to popular opinion, security consulting is not limited to pentests and compliance audits. In this article, we’ve outlined the 4 main security-related business risks and charted out the way to help you choose the consulting type that best suits your business.
22 Nov 2018
A battle-tested explanation of why tracing is a very useful technique you can benefit from in your projects. A story from the trenches of implementing distributed tracing in our Acra data security suite.
9 Nov 2018
The release of Acra version 0.84.0 marks the new frontier for the data security suite.
28 Sep 2018
Key rotation made easy — if client application is compromised, the new AcraRotate utility lets you update storage keys and re-encrypt the data. SQL filtering got more flexible with new 6 patterns (including SUBQUERY and LIST_OF_VALUES), allowing you to set up accepted queries very carefully and block malicious requests. Read the full post for more details on how Acra 0.83.0 helps protecting your databases.
20 Sep 2018
Mapping data privacy regulation to changes in database structure, updates in DevOps practices, backups, and restricted processing. A methodical developer’s perspective.
16 Aug 2018
How we detect massive data leaks and firewall exfiltration in Acra.
14 Aug 2018
Introducing AcraTranslator — store AcraStructs wherever it is convenient now. Plus we've added pattern matching for SQL filtering in AcraCensor and number of other improvements.
13 Jul 2018
An overview of the conferences and meetups in which the Cossack Labs team particiated recently. Also, the first-ever post on our blog containing emoji.
6 Jul 2018
This release brings better prevention of SQL injections with the new AcraCensor, better handling of real-life SQL queries (including prepared statements and complex JOINs), and a lot of improvements in other key areas of Acra.
31 May 2018
We couldn’t wait till summer so the new slick version of Acra is here. Better, cooler, with improved usability and all renamed.
29 May 2018
We tried out and described a few approaches to reducing the size of Docker images for the components of our database encryption suite Acra. As a result, we found a way to reduce the container size by roughly 62 times.
13 Apr 2018
Acra 0.77.0 is here! We’ve added integration with MySQL databases and made Acra even more useful adding a firewall for SQL requests, a web configuration utility, and a huge selection of Docker compose files you can easily try Acra with.
9 Apr 2018
Going through breaking changes and avoiding pitfalls in the process of moving from OpenSSL 1.0.2 to OpenSSL 1.1.0.
12 Mar 2018
After a year in testing by early adopters, we’re starting to push new features into the open-source version of Acra.
6 Feb 2018
Meet the perfect ten! A sleek update with breaking changes and major improvements.
29 Dec 2017
Looking back at the accomplishments of the year.
25 Dec 2017
14 Dec 2017
Rolling out the brand new shiny Themis 0.9.6! OpenSSL 1.1 is now supported.
13 Dec 2017
Today is the release day for a proof of concept version of Hermes — a framework for cryptographically assured access control and data security Hermes-core 0.5.1.
23 Nov 2017
Turning macros into auditable C code in a highly parameterised cross-platform cryptographic library Themis with a help of preprocessor customization.
21 Sep 2017
The second article in a series of three that covers our experiments with different sources of crypto primitives for Themis. This time we tested its multi-platform capabilities with Libsodium.
15 Sep 2017
Themis 0.9.5 is here! Improved compatibility, small fixes, nice extras, and pre-built binaries from package server for your convenience.
11 Jul 2017
To provide better multi-platform support in Themis, we've built multi-donor support abstraction layer for cryptographic primitives, called Soter. This is the first article in a series of three that will cover our experiments with different sources of crypto primitives, this time - BoringSSL.
8 Mar 2017
Today we're revealing Acra: a database security suite, built to provide selective encryption and intrusion prevention for modern microservice-rich products and web apps.
6 Mar 2017
Best cases of boring technical debt are understood when reflected properly. This post addresses a simple one: inelegant flags in core C library ended up breaking Python tests. This is no small case to us: tests breaking sometimes might end up in things seeming to work, but not really working. Not something you can afford yourself when you're doing cryptography, do you?
28 Feb 2017
Investigating memory leaks can be fun, sometimes. Sometimes it might even teach you a few lessons in how the language you know and like actually works.
30 Dec 2016
Bright and full of new 2016 year insensibly came to an end. Sharing the summary of our work!
21 Dec 2016
In an ongoing effort to make Themis functions available anywhere we (and potential users) might need them, we're starting to release Themis wrappers for popular databases. This post outlines the first two - for Redis and PostgreSQL databases.
13 Dec 2016
Previously, we’ve talked about classic design patterns in backend data security and about key management goals and techniques. In this article, we'll discuss how modern approaches differ and shed light on our solutions. Updated in 2019
23 Nov 2016
Glad to announce Themis 0.9.4! Minor changes for stable new version.
26 Oct 2016
... not the security vendors, nor government or big corporations can solely fix the current state of things. It's everybody's duty and the earlier we understand it - the better.
21 Sep 2016
Second article in series, Key Management 101 will talk about basic key management concepts, goals and methods to achieve them.
15 Aug 2016
In the upcoming series of articles, we'll ascend from classic database security techniques to the modern technologies, including some cutting edge research data and our own experiments.
27 Jul 2016
In this post, we talk about Zero-Knowledge Proofs, tie ZKP authentication to traditional security models and help you understand better how authentication, in general, should work.
20 Jul 2016
Lighter reading: general thoughts on how the familiar mindset of 'protect the perimeter' changed over time.
26 May 2016
Themis 0.9.3 released: new wrappers for Go, NodeJS, C++, Google Chrome and much more.
23 May 2016
This blog post features infographic on how to choose cryptographic frameworks when developing Android apps and adds a few notes about Native/Java crypto.
21 Apr 2016
Sesto is one of PoC tools we've developed while working on WebThemis - the cryptographically sane front-end framework for Google Chrome. Sesto enables web users to store any secrets (for example, login credentials) on the server and use them from any computer that has Google Chrome installed.
7 Apr 2016
This post summarizes our experiences of testing Secure Comparator as an authentication mechanism for HTTP.
While we were planning, designing and implementing Comparator, real infrastructure in which it has to function (letting Toughbase instances without shared trust to be able to exchange records and request personal data safely) was very far from being ready, but we wanted to understand how good it was for some practical applications. So we chose the obvious - seeing how SC could work as HTTP authentication mechanism.
30 Mar 2016
This blog post features infographic on how to choose crypto when developing iOS apps. It's always useful to put tool choice in context of causes (goals) and effects. This is what we've tried to do in this post.
17 Mar 2016
While doing some protocol design for front-end clients with WebThemis services, we wanted to try it in real-world situations first: how easily could we deploy complicated cryptographic behavior into web apps? Turns out, quite easily. This post describes one of such web apps, designed to illustrate some zero-server-trust design patterns we're using in other developments.
14 Mar 2016
As we are still using LibreSSL as a donor for some of the cryptographic primitives, with every new architecture we have to make sure that LibreSSL compiles well. This post describes our challenges with PNaCl.
9 Mar 2016
Themis Server is interactive debugging environment for Themis: an easy way to try what Themis can do, debug your working code, get easy-to-test examples (specifically cooked to talk to Themis Server).
8 Mar 2016
This post outlines our experience of porting typical C/C++ library (which is obviously Themis, in our case) to PNaCl module. A few challenges, a number of interesting riddles and Themis suddenly has a new home!
3 Mar 2016
Threats you may face when implementing cryptography within your web application JS way.
1 Mar 2016
Introducing WebThemis: a Google Chrome library to develop secure web applications.
11 Feb 2016
After publishing Secure Comparator paper, we've received a number of concerns from the cryptographic community about possible security breach, in case, where one of the parties is intentionally falsifying the protocol. We've adressed these concerns, and, in this blog post and paper update would like to elaborate how and why.
9 Dec 2015
Secure Comparator is a novel authentication technique we're proposing the cryptographic community to evaluate. It can be used as any id/secret pair authenticator in environments, where no trust relationships exist between two parties.
26 Nov 2015
Current technological advancements in authenticating users seems to be sufficient for most cases. However, taking a more detailed look reveals weaknesses and tradeoffs in all existing authentication schemes. Before explaining the methodology and cryptography behind Secure Comparator, our authentication protocol, we wanted to outline reasons for developing it in a brief review of existing authentication methods.
20 Nov 2015
Being asked several times 'Is Secure Session prone to attacks similar to WeakDH/LogJam', we've decided to outline some principal differences, which render Secure Session really secure from these attacks.
18 Nov 2015
When developing new, advanced features of Themis library, we had to extend some of the ECC cryptography available in open source with our own implementation to provide simple point multiplication with random (unknown in advance) point. To achieve that, we've extended Daniel J. Bernstein's implementation of ed25519 with our own math and code. This blog post outlines our direction of thinking.
4 Nov 2015
Introducing updated and polished Themis, release 0.9.2.
28 Oct 2015
TL;DR: SSL is huge, inefficient, complex and may present plenty of security threats. For most platforms, it's the best we've got. For some, where it can be configured properly - it's lifesaver. For many - it's the illusion of security. Let's see what applies to your application.
1 Oct 2015
This tutorial shows simple ways of integrating cryptographic services presented by Themis cryptographic library into your already existing multi-platform application.
22 Sep 2015
Some important notes on intruducing experimental, bleeding edge features to Themis, changes in Themis build system in the regard of these features, and a tease of new things to come.
3 Jun 2015
How we did usability testing for Themis when releasing the open source library into public.
Being ready to release Themis, we've gathered a few colleagues and decided to make a test run on unsuspecting developers - how would the library blend into their workflows?
18 May 2015
We are proud to present Themis, a novel cryptographic services library.
Every good work of software starts by scratching a developer's personal itch. (The Cathedral and the Bazaar)