Blog

We are pleased to announce the Acra Community Edition 0.90.0 release, which makes a broad set of security features, including database encryption, searchable encryption, and encryption-as-a-service API available for any developer.

Understanding cloud security # In this article, we observe security responsibility of cloud providers: where it ends, what are the gaps and grey areas, and what risks security teams should take into account when using “as a service” platforms. So, you’re planning your new business in an area where security matters, and you start thinking about choosing your cloud provider to build your application on. Typically, you start juggling with a combination of all the nice building blocks you need and financial aspects you’re facing.

React Native security: what developers and team leads need to know. Handle risks and threats, prevent typical security mistakes, follow best engineering practices — learn from our experience.

Logs, audit logs, and security events are must-have components of a secure system, which help to monitor ongoing behaviour and provide forensic evidence in case of an incident. Let’s cut through complexity. In this article, we cover cryptographically signed audit logging, aka “secure logging”, when logs are generated in a certain way which prevents tampering messages, removing, adding or changing the order of log entries. We explain why signed logs are essential for security software, how we’ve built-in secure audit logging in Acra, and how to use it together with other defense in-depth layers in your systems.

New Themis Release: 0.13.0 # Today, the Cossack Labs team is proud to announce Themis 0.13.0 release. Themis is a high-level “boring” cryptographic library that gives developers easy-to-use hard-to-misuse blocks to solve 90% of typical crypto use cases for web and mobile apps. New update makes storage encryption easier to use and introduces Kotlin for Android support (which becomes the 14th officially supported language). You can find latest source code in the GitHub repository.

Imagine your builds going red because of an outdated OpenSSL that is used by one of your Carthage dependencies. In this story, we share scripts, error messages, testing matrix, and a working solution we used for Themis to prevent such a situation.

OpenSSL complexity starts with its version string. Apple, Carthage, and some dependency analysis tools have different opinions about it. Here is how we dealt with them and submitted iOS app to the App Store. So, we decided to update OpenSSL in iOS app # Themis provides easy-to-use cryptography for multiple languages and platforms. We implement it on top of existing cryptography engines , such as OpenSSL or BoringSSL, which Themis uses as a source of the cryptographic primitives.

This article was initially published on November 2018, then reviewed and updated with the information regarding CCPA on April 2020. We frequently see how regulatory requirements are mapped onto real-world demands during the integration of our tools and security consulting projects. Producing a coherent vision of which data assets need to be protected is the first step in designing encryption solutions – in the end, encryption comes at a cost and it makes sense to know where this cost is justified.

Intro # When companies move their infrastructures into the cloud, provisioning resources and configuring them to emulate their initial infrastructure — a practice called “lift and shift” — or migrate the existing solutions from one platform to another, something inevitably migrates together with all the code and assets: their security assumptions . The security assumptions affect the major security bottleneck — security team’s time and priorities. And the on-premises threat model and security priorities are very different from cloud-based.

Understanding data security issues # The first thing that comes to mind when one thinks about security issues is typically some poorly written code that is prone to RCE, XSS, and similar attacks. But hardly anyone deliberately sets out with “I’m going to write some really bad, vulnerable code today!” intent in mind. Code is always written for a reason, driven by functional demands, culture, and processes. From a software engineer’s point of view, fixing a security issue equals removing an opportunity to exploit something.