2018 was as exciting as it was busy — 7 new versions of Acra Open Source accompanied by Acra Live Demo and Acra Engineering Demo, launch of DGAP security consulting and security training services, over a dozen articles in the blog and Medium, a whole new Documentation Server, talks at conferences all over the world, and many more interesting events.
According to our GitHub statistics, 2018 resulted in:
296 new stars,
Nearly 30,000 downloads from GitHub, package server, and some of the language wrappers which track downloads.
Products, releases, services
Following the last year’s tradition of releasing new features on Fridays, Friday 13s, and stretches of Mercury retrograde, this year we’ve released a few new versions of our cryptographic software products on Fridays (for instance, Acra 0.81.0 on Friday, July 6; Acra 0.83.0 on Friday, September 28; Acra 0.84.0 on Friday, November 9, Mercury retrograde), as well as on more casual days, and added several new services.
The latest version of Acra nicknamed “0.84.0 New Horizons” marked the beginning of the new era for Acra as it grew from a database encryption proxy to a full-fledged data encryption suite. You can follow the whole history of changes throughout v.0.76 to v.0.84.0 in the Changelog, but if you’d like to try Acra hands-on, pick one of three pre-made applications from the Engineering demo.
This year we’ve expanded Acra to support MySQL, significantly improved support of important features such as prepared statements, session management, enforced connection security. One piece that turns Acra into a well-rounded database protection package, which we’ve introduced in 2018 is SQL firewall — you can now whitelist, blacklist queries with flexible syntax, preventing the execution of queries on the only component that has plaintext access to the data.
But we’re not stopping here: every release we’re trying to address the remaining bottlenecks of using encryption in modern applications, one by one. This time, we’ve adapted Ciphersweet technique with improved security guarantees to proxy architecture, hardened it here and there, and now, starting from the beginning of 2019, the enterprise-only versions will enable Acra users to search encrypted fields in their database. For the open-source community, we intend to present a separate PoC and an accompanying detailed paper.
We are well aware that modern apps store and use same blobs of data in SQL and non-SQL datastores interchangeably. To enable encryption/decryption outside of SQL environment, we’ve built AcraTranslator, simple service to decrypt Acra-encrypted records over API (HTTP or gRPC), which helps when you store data in cloud datastores and databases with non-standard APIs.
To enable performance monitoring and profiling, we’ve added unified and verbose logging, metrics, and tracing. To improve integration in technically constrained architectures, the next steps we’re planning for Acra is adding the transparent encryption mode, in which there will be no need to tweak the code of the client app.
A lot of work went into Themis cross-platform encryption library this year. The only new release for 2018 was Themis 0.10.0, but a new version of Themis with added Rust wrapper and a lot of other features and improvements is scheduled for the release soon in the Q1 of 2019.
This year, aside from thanking the contributors who help us drive Open Source initiatives forward, we have also started celebrating select open-source adopters, whose requests make our tools better for everybody!
Hermes and Toughbase
With less spotlight aimed at them this year, our end-to-end encryption tools are slowly evolving with a small number of early adopters. Developing end-to-end secure data exchange system isn’t an easy ride for a small team: we’re gradually improving weaknesses and architectural flaws we detect and prepare Toughbase for general availability later in 2019. Many of the crucial features we’re testing now in Acra, such as cryptographically signed audit log or encrypted record search will become part of Toughbase after their successful performance in a less restrictive environment.
Customer Success Program (DataGuardian Assistance Program)
To assist the deployment of our software, we’ve launched the DataGuardian Assistance Program (DGAP) — data security consulting and assistance program (updated and renamed to Customer Success Program in 2019) to help companies enhance their products with encryption tools and improve security-related engineering processes, focusing on the real-life business needs. Over the year, it grew into a service of its own, which helps customers tackle sophisticated data security needs even when it’s too early for our own tools: integrating encryption into protection of various sensitive assets, assessing the risks and improving application security of mobile, distributed and embedded apps, devising and maintaining SSDLC processes during application development.
Our ultimate goal as a company is to make the world a safer place in regard to data security and assist developers in doing so. Sometimes, tools and services are not enough. We’ve started training developers in general security awareness topics and specifics of SSDLC for various computing platforms through multi-module security training program. It is aimed at teaching developers, managers, and C-level staff to gain a better and immediately applicable understanding of security processes are related to their work.
It started to feel like we’d outgrown some of the GitHub’s functionality related to documentation so we’ve launched our own Cossack Labs Documentation Server that features docs, tutorials, and advanced scientific documentation for our cryptographic solutions.
The most popular publications in our blog and on the Cossack Labs Medium page were:
GDPR for Engineers: Implementing Rights and Security Demands
How to Implement Tracing in a Modern Distributed Application
Trick or Threat. A Halloween-inspired overview of the horrors and business losses caused by bad data security
Social events, Conferences, Workshops
We’ve already thanked our ever-expanding team of contributors in another post. As for social events in 2018, this year the members of our team spoke at a number of large international and local conferences, as well as organised meetups and workshops, including with:
Travels of Professor Felix
A small test run of stickers featuring our mascot Professor Felix that we printed last year turned into several editions of cryptographic chameleons travelling the whole world. We collect the photos of Felix during our travels and on your laptops (and other hardware). If you have such photos, please send them to us, we’ll be thrilled to feature them on our Twitter and Facebook pages!
Professor Felix sticker accompanying our product engineer Anastasiia Voitova in New York at QConNYC.
Season’s greetings and better security to everyone! Happy New Year!