backend security series
Mar 23, 2021
Eugene Pilyankevich
Cloud security: gaps in a "shared responsibility" model
In this article we observe security responsibility of cloud providers: where it ends, what are the gaps and grey areas, and what risks security teams should take into account when using “as a service” platforms. So, you’re planning your new business in an area where security matters, and you start thinking about choosing your cloud provider to build your application on. Typically, you start juggling with a combination of all the nice building blocks you need and financial aspects you’re facing.
Nov 20, 2019
What Should You Drop When You Lift and Shift
Intro When companies move their infrastructures into the cloud, provisioning resources and configuring them to emulate their initial infrastructure — a practice called “lift and shift” — or migrate the existing solutions from one platform to another, something inevitably migrates together with all the code and assets: their security assumptions . The security assumptions affect the major security bottleneck — security team’s time and priorities. And the on-premises threat model and security priorities are very different from cloud-based.
Apr 4, 2019
Building Defence in Depth for Your Data Using Acra
Intro Any set of security controls deployed in your infrastructure may fail. Given enough pressure, some controls will certainly fail. No surprises here, but the question is – how to build our systems to make security incidents less damaging in case of a failure of some components? How to prevent data leaks even in case of a successful data breach? Building security tools , we strive towards defense in depth approach.
Feb 13, 2019
Preventing SQL Injections When WAF’s Not Enough
Intro What is the biggest threat to a tool that prevents unauthorised database access? Requests from the application side that trigger data leakage. Namely, SQL injections and other application attacks that allow attackers to craft custom SQL queries. How can we prevent that? The standard industry response is obvious — input sanitization, web application firewalls (WAFs), and prepared statements are typically used for addressing these concerns. We’re shipping a product which aims to intervene into application logic as little as possible but as it turns out, input sanitization is rarely done well, WAFs are not always efficient, and prepared statements are a question of app developer’s choice.
Dec 13, 2016
12 and 1 ideas on how to enhance backend data security
Article updated in 2019. Previously in the series... Previously, we’ve talked about classic design patterns in backend data security, then about key management goals and techniques. It is important to understand that database security evolved with system administration techniques and programming demands, with cryptography and access controls being complementary features, rather than cornerstones. In classic designs, there are two important drawbacks: Trust tokens: they rely on storing trust tokens somewhere inside the infrastructure;
Sep 21, 2016
Backend data security: Key management 101
Intro Frequently overlooked, much less hyped than quantum computers breaking trapdoor functions, managing keys is actually the most important part of building a security system. Secret keys, public-private key pairs, passwords and other factors of authentication are the control vessels within security system. In this article, we will go through basic key management concepts, explain some important ideas for next articles and provide some practical advice you can start implementing within your application tomorrow.
Aug 15, 2016