Sep 14, 2020
Security logs: cryptographically signed audit logging for data protection
Logs, audit logs, and security events are a must-have component of a secure system, which helps to monitor ongoing behaviour and provide forensic evidence in case of an incident. Let’s cut through complexity. In this article, we cover cryptographically signed audit logging, aka “secure logging”, when logs are generated in a certain way which prevents tampering messages, removing, adding or changing the order of log entries. We explain why signed logs are essential for security software, how we’ve built-in secure audit logging in Acra, and how to use it together with other defense in-depth layers in your systems.
Jul 23, 2019
Secure Search Over Encrypted Data
Intro More and more data is outsourced to remote (cloud) storage providers fuelled by “software as a service” trends in enterprise computing. Data owners want to be certain that their data is safe against thefts by outsiders, internal threats, and untrusted service providers alike. To safeguard the data, encryption is used. Modern encryption is much more than enabling “data at rest encryption” checkbox on AWS S3 or using TLS connection between database and backend.
May 7, 2019
Install Acra 1-Click App through DigitalOcean Marketplace
Cossack Labs has recently joined the DigitalOcean Marketplace family following our mission to make high-end security tools available to the general developer audience in a convenient fashion. Acra encryption suite is one of the first data security and encryption tools on DigitalOcean Marketplace and it is now available as 1-Click App running in DigitalOcean Droplet . Acra provides selective encryption, multi-layered access control, SQL firewall (SQL injection prevention), database leakage prevention, and intrusion detection capabilities as server deployed in your infrastructure (on prem or in cloud).
Apr 16, 2019
Acra on DigitalOcean Marketplace
We always strive to make high-end security tools available to general developer audience in a convenient fashion. Only by making data security accessible, we can ensure real security of sensitive data everywhere. As another step towards our mission, we are proud to announce that Acra encryption suite is now available as 1-Click App running in a Droplet on DigitalOcean Marketplace . DigitalOcean is known for its caring attitude towards development teams of any size.
Apr 4, 2019
Building Defence in Depth for Your Data Using Acra
Intro Any set of security controls deployed in your infrastructure may fail. Given enough pressure, some controls will certainly fail. No surprises here, but the question is – how to build our systems to make security incidents less damaging in case of a failure of some components? How to prevent data leaks even in case of a successful data breach? Building security tools , we strive towards defense in depth approach.
Mar 15, 2019
ACRA 0.85.0 LOOKING GLASS
New Acra 0.85.0 brings the expanded functionality we’ve announced during the release of Acra 0.84.0. We’ve added server-side encryption mode which allows integrating Acra without altering the client application code. It’s called AcraServer’s Transparent proxy mode and allows you to configure AcraServer to parse SQL queries and to encrypt values designated for specific database columns. Transparent encryption mode is useful for large distributed applications where updating the source code of each client app separately would be complicated.
Feb 13, 2019
Preventing SQL Injections When WAF’s Not Enough
Intro What is the biggest threat to a tool that prevents unauthorised database access? Requests from the application side that trigger data leakage. Namely, SQL injections and other application attacks that allow attackers to craft custom SQL queries. How can we prevent that? The standard industry response is obvious — input sanitization, web application firewalls (WAFs), and prepared statements are typically used for addressing these concerns. We’re shipping a product which aims to intervene into application logic as little as possible but as it turns out, input sanitization is rarely done well, WAFs are not always efficient, and prepared statements are a question of app developer’s choice.
Dec 31, 2018
Looking Back at 2018 — A Year in Retrospect
2018 was as exciting as it was busy — 7 new versions of Acra Open Source accompanied by Acra Live Demo and Acra Engineering Demo, launch of DGAP security consulting and security training services, over a dozen articles in the blog and Medium, a whole new Documentation Server, talks at conferences all over the world, and many more interesting events. Stats According to our GitHub statistics, 2018 resulted in:
Nov 22, 2018
How to Implement Tracing in a Modern Distributed Application
Distributed tracing is incredibly helpful during the integration and optimisation of microservice-rich software. Before implementing tracing as a publicly available feature in the latest version of Acra, we did a small research to catch up with current industry standards in tracing protocols and tools. In this article, we’ve decided to explain, why tracing is a very useful thing and how you can benefit from using it in your projects.
Nov 9, 2018
ACRA 0.84.0 NEW HORIZONS
The main new features of Acra 0.84.0 are based around the DevOps’ needs – they eliminate the need to have a deep knowledge of secure development and cryptography to protect your data using Acra. Logs, metrics, and full-scale tracing will help during the deployment and usage of Acra. You can export them to your favourite tools (i.e. ELK, Prometheus, Jaeger) and monitor Acra’s load, performance, and behaviour, in real-time. Great things are planned for the next few releases.
Sep 28, 2018
ACRA 0.83.0 RELEASE
As the days were getting shorter, our pull requests were getting longer, and here we are now, proud to present Acra 0.83.0. Its distinctive new feature is the AcraRotate utility, which allows you easily rotate the storage keys on a regular basis or perform an emergency key rotation if you’ve detected (or suspect) a compromise of the client app. SQL filtering got more flexible — the new 6 patterns (including SUBQUERY and LIST_OF_VALUES) allow deep customisation for configuring the accepted queries and blocking malicious requests.
Aug 16, 2018
Poison Records in Acra – Database Honeypots for Intrusion Detection
Poison Records in Acra Intro When naming our special type of data containers created for raising an alarm within Acra-powered infrastructures, we were sure we’ve seen the term “poison records” used elsewhere in the same context. This particular technique in out of the box solution was first offered by us (if it wasn’t, let us know! We'd like to know more about their backstory :)). In a way, poison records are very much like passive honeypots, but their mechanics of work is completely different.
Aug 14, 2018
ACRA 0.82.0 IS OUT!
Summer moves on, Acra improves. This corridor of eclipses and Mercury retrograde gave life to the new version of Acra. Whole lotta updates to the already existing infrastructural elements. What else is new? AcraTranslator, for that matter — a lightweight server that receives AcraStructs stored anywhere and returns the decrypted data. Previously Acra was closely tied to the database infrastructure, but AcraTranslator is a tool that allows storing AcraStructs wherever it is convenient — as cells in a database or as files in a file storage (local or cloud storage, like AWS S3).
Jul 6, 2018
MEET ACRA 0.81.0
ACRA 0.81.0 RELEASE All the terrible things like lunar and solar eclipses, Mercury retrogrades, and PHP code refactoring will come later — this Friday is fully dedicated to the new release of Acra. In Acra 0.81.0 we’ve concentrated our efforts on improving the overall SQL handling, especially when it comes to SQL injection prevention, and teaching Acra’s “firewall” AcraCensor a few new tricks. If you’ve had troubles integrating some 3rd party WAFs into your infrastructure, Acra now might offer you a simpler, trouble-free solution.
May 31, 2018
ACRA 0.80.0 IS HERE
ACRA 0.80.0 RELEASE This release is dedicated to usability and unification. Many components of Acra have been renamed. We believe that the updated names will decrease confusion about the components' functions and will make Acra's setup and usage process easier. The new names also align better with the common package naming practices. We couldn’t find a day inauspicious enough to release Acra 0.80.0, but decided that that last day of spring is still quite special :) Here are the changes in the new release:
May 29, 2018
Reducing Docker Image Size for Acra
Intro To provide convenient delivery and faster deployment of our tools, just like everybody else − we use Docker. This article describes our experience of using containers for distribution of our product Acra (database encryption suite) and focuses on the method we used to decrease the size of Docker images approximately by 62-64 times. It’s not like we’ve made a revolutionary discovery, but as developers, we found it interesting to trace the steps from the moment of packaging a product into a container to trimming it down to a small Docker image.
Apr 13, 2018
ACRA 0.77.0 RELEASE
ACRA 0.77.0 RELEASE Sticking to our tradition of rolling out new releases on conspicuous dates, we’re presenting Acra 0.77.0 on Friday 13th, Mercury retrograde. The changelog for the new Acra release was 3 pages long, so we’ve decided to spare you the details here (but you can always read the changelog in full in the Cossack Labs GitHub repository if you want to). Here are the main changes in the new release:
Mar 12, 2018
ACRA 0.76 IS OUT NOW!
ACRA 0.76 RELEASE The spring and change are in the air! After a year in testing by early adopters (Acra 0.75 was released 1 year 5 days ago), we’re starting to push new features into the open-source version of Acra. 0.76 is a stability release, which unifies a lot of things “under the hood”: module interfaces, test automation, API, connection schemes — everything we need to gradually unveil & plenty of new exciting features we’ve prepared based on the user feedback.
Mar 8, 2017
Introducing Acra If you are concerned about data security, this means confronting a threat landscape that requires vigilance and defence against a wide range of attacks. One of the prime targets for attack continues to be sensitive data that is stored in backend database storage. From simple discovery of unsecured databases, through classic SQL injection techniques, to compromised infrastructure that allows wholesale copying of database content, attacks focus on data assets with increasing precision.
Feb 28, 2017