Acra

Fully transparent encryption of sensitive fields is possible with open source Acra 0.93 release. Acra works on SQL protocol level, hiding details from developers and reducing encryption integration cost. Learn how it works under the hood.

All developers need to know about using OCSP and CRL for validating TLS certificates in Go apps. Things we’ve learnt while building our own OCSP/CRL validation tooling: design, implementation and security tips, example code and popular mistakes.

We are pleased to announce the Acra Community Edition 0.90.0 release, which makes a broad set of security features, including database encryption, searchable encryption, and encryption-as-a-service API available for any developer.

Logs, audit logs, and security events are must-have components of a secure system, which help to monitor ongoing behaviour and provide forensic evidence in case of an incident. Let’s cut through complexity. In this article, we cover cryptographically signed audit logging, aka “secure logging”, when logs are generated in a certain way which prevents tampering messages, removing, adding or changing the order of log entries. We explain why signed logs are essential for security software, how we’ve built-in secure audit logging in Acra, and how to use it together with other defense in-depth layers in your systems.

Intro # More and more data is outsourced to remote (cloud) storage providers fuelled by “software as a service” trends in enterprise computing. Data owners want to be certain that their data is safe against thefts by outsiders, internal threats, and untrusted service providers alike. To safeguard the data, encryption is used. Modern encryption is much more than enabling “data at rest encryption” checkbox on AWS S3 or using TLS connection between database and backend.

Cossack Labs has recently joined the DigitalOcean Marketplace family following our mission to make high-end security tools available to the general developer audience in a convenient fashion. Acra encryption suite is one of the first data security and encryption tools on DigitalOcean Marketplace and it is now available as 1-Click App running in DigitalOcean Droplet . Acra provides selective encryption, multi-layered access control, SQL firewall (SQL injection prevention), database leakage prevention, and intrusion detection capabilities as server deployed in your infrastructure (on prem or in cloud).

We always strive to make high-end security tools available to general developer audience in a convenient fashion. Only by making data security accessible, we can ensure real security of sensitive data everywhere. As another step towards our mission, we are proud to announce that Acra encryption suite is now available as 1-Click App running in a Droplet on DigitalOcean Marketplace . DigitalOcean is known for its caring attitude towards development teams of any size.

Intro # Any set of security controls deployed in your infrastructure may fail. Given enough pressure, some controls will certainly fail. No surprises here, but the question is – how to build our systems to make security incidents less damaging in case of a failure of some components? How to prevent data leaks even in case of a successful data breach? Building security tools , we strive towards defense in depth approach.

New Acra 0.85.0 brings the expanded functionality we’ve announced during the release of Acra 0.84.0. We’ve added server-side encryption mode which allows integrating Acra without altering the client application code. It’s called AcraServer’s Transparent proxy mode and allows you to configure AcraServer to parse SQL queries and to encrypt values designated for specific database columns. Transparent encryption mode is useful for large distributed applications where updating the source code of each client app separately would be complicated.

Can WAF prevent SQL injection? What is the biggest threat to a tool that prevents unauthorised database access? Requests from the application side that trigger data leakage. Namely, SQL injections and other application attacks that allow attackers to craft custom SQL queries. How can we prevent that? The standard industry response is obvious — input sanitization, web application firewalls (WAFs), and prepared statements are typically used for addressing these concerns.

2018 was as exciting as it was busy — 7 new versions of Acra Open Source accompanied by Acra Live Demo and Acra Engineering Demo, launch of DGAP security consulting and security training services, over a dozen articles in the blog and Medium, a whole new Documentation Server, talks at conferences all over the world, and many more interesting events. Stats According to our GitHub statistics, 2018 resulted in:

Distributed tracing is incredibly helpful during the integration and optimisation of microservice-rich software. Before implementing tracing as a publicly available feature in the latest version of Acra, we did a small research to catch up with current industry standards in tracing protocols and tools. In this article, we’ve decided to explain, why tracing is a very useful thing and how you can benefit from using it in your projects.

The main new features of Acra 0.84.0 are based around the DevOps’ needs – they eliminate the need to have a deep knowledge of secure development and cryptography to protect your data using Acra. Logs, metrics, and full-scale tracing will help during the deployment and usage of Acra. You can export them to your favourite tools (i.e. ELK, Prometheus, Jaeger) and monitor Acra’s load, performance, and behaviour, in real-time. Great things are planned for the next few releases.

As the days were getting shorter, our pull requests were getting longer, and here we are now, proud to present Acra 0.83.0. Its distinctive new feature is the AcraRotate utility, which allows you easily rotate the storage keys on a regular basis or perform an emergency key rotation if you’ve detected (or suspect) a compromise of the client app. SQL filtering got more flexible — the new 6 patterns (including SUBQUERY and LIST_OF_VALUES) allow deep customisation for configuring the accepted queries and blocking malicious requests.

Poison Records in Acra Intro When naming our special type of data containers created for raising an alarm within Acra-powered infrastructures, we were sure we’ve seen the term “poison records” used elsewhere in the same context. This particular technique in out of the box solution was first offered by us (if it wasn’t, let us know! We'd like to know more about their backstory :)). In a way, poison records are very much like passive honeypots, but their mechanics of work is completely different.

Summer moves on, Acra improves. This corridor of eclipses and Mercury retrograde gave life to the new version of Acra. Whole lotta updates to the already existing infrastructural elements. What else is new? AcraTranslator, for that matter — a lightweight server that receives AcraStructs stored anywhere and returns the decrypted data. Previously Acra was closely tied to the database infrastructure, but AcraTranslator is a tool that allows storing AcraStructs wherever it is convenient — as cells in a database or as files in a file storage (local or cloud storage, like AWS S3).

ACRA 0.81.0 RELEASE All the terrible things like lunar and solar eclipses, Mercury retrogrades, and PHP code refactoring will come later — this Friday is fully dedicated to the new release of Acra. In Acra 0.81.0 we’ve concentrated our efforts on improving the overall SQL handling, especially when it comes to SQL injection prevention, and teaching Acra’s “firewall” AcraCensor a few new tricks. If you’ve had troubles integrating some 3rd party WAFs into your infrastructure, Acra now might offer you a simpler, trouble-free solution.

ACRA 0.80.0 RELEASE This release is dedicated to usability and unification. Many components of Acra have been renamed. We believe that the updated names will decrease confusion about the components' functions and will make Acra's setup and usage process easier. The new names also align better with the common package naming practices. We couldn’t find a day inauspicious enough to release Acra 0.80.0, but decided that that last day of spring is still quite special :) Here are the changes in the new release:

Need for Docker image reducing To provide convenient delivery and faster deployment of our tools, just like everybody else − we use Docker. This article describes our experience of using containers for distribution of our product Acra (database encryption suite) and focuses on the method we used to reduce the size of Docker images approximately by 62-64 times. It’s not like we’ve made a revolutionary discovery, but as developers, we found it interesting to trace the steps from the moment of packaging a product into a container to trimming it down to a small Docker image.

ACRA 0.77.0 RELEASE Sticking to our tradition of rolling out new releases on conspicuous dates, we’re presenting Acra 0.77.0 on Friday 13th, Mercury retrograde. The changelog for the new Acra release was 3 pages long, so we’ve decided to spare you the details here (but you can always read the changelog in full in the Cossack Labs GitHub repository if you want to). Here are the main changes in the new release:

ACRA 0.76 RELEASE The spring and change are in the air! After a year in testing by early adopters (Acra 0.75 was released 1 year 5 days ago), we’re starting to push new features into the open-source version of Acra. 0.76 is a stability release, which unifies a lot of things “under the hood”: module interfaces, test automation, API, connection schemes — everything we need to gradually unveil & plenty of new exciting features we’ve prepared based on the user feedback.

Introducing Acra If you are concerned about data security, this means confronting a threat landscape that requires vigilance and defence against a wide range of attacks. One of the prime targets for attack continues to be sensitive data that is stored in backend database storage. From simple discovery of unsecured databases, through classic SQL injection techniques, to compromised infrastructure that allows wholesale copying of database content, attacks focus on data assets with increasing precision.

Intro As many of you know, Go is an amazing modern programming language with automated memory management. We love Go: we've used it to build Acra, our database encryption suite, we further use it to build other products. Not being extremely fancy, Go is practical and efficient and is a way to get things done in a reasonable timeframe. Sometimes, even in the age of modern, garbage-collected languages, with their own great profiling tools and well-thought memory management style, you'll still have to dust off old good valgrind to understand what's going on.