Cossack Labs

Security tips on using YubiKey and FIDO U2F

Designed for securing online accounts, FIDO U2F as a protocol and YubiKey as a hardware tool are not silver bullets. If not used wisely, this powerful combo becomes an attractive target in the hands of skilful attackers.

Flutter application security considerations

Ensuring security in cross-platform development with Flutter: Pros and cons, platform-specific security risks, fundamental security recommendations for using Flutter effectively and avoiding pitfalls.

Digital wallets security: Overcoming paradoxes and contradictions

Building secure digital wallets is a challenge when it comes to balancing between convenience and security while fighting the threats. How to build a reliable user-friendly product that meets user needs and effectively protects their assets?

How to prevent digital wallet fraud

Understanding digital wallet fraud is critical for designing and integrating an effective anti-fraud solution. Read about security events, risk models, remote device attestation, user authentication, KYC, trade-offs, and many more.

Exploring security vulnerabilities in NFC digital wallets

NFC-based devices, such as mobile digital wallets, contactless smart cards, and security keys (hardware authentication devices), are exposing users to NFC vulnerabilities in encryption, replay and side-channel attacks.

Smart contract security audit: tips & tricks

Smart contract security audit is very different from traditional application security audit. Smart contracts are immutable, they interact with each other and transfer user funds between accounts. Unique threat landscape brings unique challenges.

Transparent data encryption for SQL databases with Acra 0.93

Fully transparent encryption of sensitive fields is possible with open source Acra 0.93 release. Acra works on SQL protocol level, hiding details from developers and reducing encryption integration cost. Learn how it works under the hood.

Introduction to automated security testing

Keep your code shipshape and reduce vulnerabilities with automated security testing. Delve into ways and tools of software security testing that developers and platform engineers can set up and automate to make apps more secure.

Cryptographic failures in RF encryption allow stealing robotic devices

Stunned by losing their robotic devices, [REDACTED] learnt that they were hijacked by attackers even with communication being encrypted. Having researched its firmware and found numerous cryptographic failures, we've crafted a few demos on how cryptography goes wrong in real life.

RepoMetaScore: evaluating supply chain risks of open-source repositories

Releasing RepoMetaScore: a dependency checking tool that analyzes metadata of open-source project, including commit history and contributors’ background. RepoMetaScore calculates risk rating, makes supply chain risks visible and prevents weaponizing OSS.

Cossack Labs stands on guard for security of Ukrainian companies

Cossack Labs stands with Ukraine and offers free security assessment and engineering services for Ukrainian companies to improve country protection and resilience.

Security of React Native libraries: the bad, the worse and the ugly

How to select a secure React Native library for your app. Sort out improper platform usage, easy to misuse API, deprecated and abandoned libraries – check our research of the React Native ecosystem security.

TLS validation: implement OCSP and CRL verifiers in Go

All developers need to know about using OCSP and CRL for validating TLS certificates in Go apps. Things we’ve learnt while building our own OCSP/CRL validation tooling: design, implementation and security tips, example code and popular mistakes.

Crypto wallets security as seen by security engineers

Read about building secure crypto wallets and issues we found when doing crypto wallet security audits. Hot non-custodial wallets store private keys, sign crypto transactions, and claim to be secure. But are they?

Acra 0.90.0: application-level encryption and searchable encryption for any SQL and NoSQL databases

Acra Community Edition 0.90.0 – database security suite for SQL and NoSQL databases, which comes with application-level encryption, searchable encryption, and encryption-as-a-service API available for any developer.

Cloud security: gaps in a "shared responsibility" model

Security responsibility of cloud providers: where it ends, what are the gaps, and what steps your team should make to improve cloud security strategy.

Cloud security: gaps in a "shared responsibility" model

Security responsibility of cloud providers: where it ends, what are the gaps, and what steps your team should make to improve cloud security strategy.

React Native security: things to keep in mind

React Native security: what developers and team leads need to know. Risks and threats, typical security mistakes, best engineering practices.

React Native security: things to keep in mind

React Native security: what developers and team leads need to know. Risks and threats, typical security mistakes, best engineering practices.

Security logs: cryptographically signed audit logging for data protection

Why crypto signed audit logs are essential for security software and how we’ve built-in secure audit logging in Acra for defense in-depth.

Security logs: cryptographically signed audit logging for data protection

Why crypto signed audit logs are essential for security software and how we’ve built-in secure audit logging in Acra for defense in-depth.

Audit logs security: cryptographically signed tamper-proof logs

Why crypto signed audit logs are essential for security software and how we’ve built-in secure audit logging in Acra for defense in-depth.

Themis 0.13.0 Is Released

Introducing new “encrypt-with-passphrase” API, new API for generating symmetric keys, support for Kotlin for Android, and updated Themis knowledge base.

Themis 0.13.0 Is Released

Introducing new “encrypt-with-passphrase” API, new API for generating symmetric keys, support for Kotlin for Android, and updated Themis knowledge base.

Swift way to build OpenSSL for Carthage iOS, as we did it for Themis

A story about updating Themis Carthage package with the latest OpenSSL for iOS and macOS apps: scripts, errors, testing matrix and working solution.

3 mistakes to avoid when dealing with OpenSSL versions and iOS apps

Hack the OpenSSL versioning problem when submitting your iOS app to the App Store.

3 Mistakes to Avoid When Dealing With OpenSSL Versions and iOS Apps

Hack the OpenSSL versioning problem when submitting your iOS app to the App Store.

OpenSSL for iOS: tricks of OpenSSL semver

Hack the OpenSSL versioning problem when submitting your iOS app to the App Store.

How to build OpenSSL for Carthage iOS

A story about updating Themis Carthage package with the latest OpenSSL for iOS and macOS apps: scripts, errors, testing matrix and working solution.

Swift Way to Build OpenSSL for Carthage iOS, As We Did It for Themis

A story about updating Themis Carthage package with the latest OpenSSL for iOS and macOS apps: scripts, errors, testing matrix and working solution.

PII encryption requirements. Cheatsheet

What data is sensitive and needs to be encrypted according to data privacy regulations like CCPA, GDPR, HIPAA, etc.? Our cheatsheet addresses this question

What Do We Really Need to Encrypt. Cheatsheet

What data is sensitive and needs to be encrypted according to data privacy regulations like CCPA, GDPR, HIPAA, etc.? Our cheatsheet addresses this question

What Should You Drop When You Lift and Shift

When moving to cloud, your threat model changes. Learn how to reallocate your security efforts effectively.

What Should You Drop When You Lift and Shift

When moving to cloud, your threat model changes. Learn how to reallocate your security efforts effectively.

Security Engineering Advice: 4 Ways to Prepare for Security Incidents

Don't be afraid of security incidents, prepare to them in advance. Choose the scenario that suits your company and fits your budget.

Security Engineering Advice: 4 Ways to Prepare for Security Incidents

Don't be afraid of security incidents, prepare to them in advance. Choose the scenario that suits your company and fits your budget.

Themis 0.12.0

Themis 0.12.0 release: full support for WebAssembly/Electron applications plus an experimental installation for Windows!

Themis 0.12.0

Themis 0.12.0 release: full support for WebAssembly/Electron applications plus an experimental installation for Windows!

Implementing End-to-End encryption in Bear App

Helping Bear app implement note encryption for their vast existing user base. Balancing usability, security, and mobile platforms' restrictions.

Implementing End-to-End encryption in Bear App

Helping Bear app implement note encryption for their vast existing user base. Balancing usability, security, and mobile platforms' restrictions.

Secure Search Over Encrypted Data

What is searchable encryption and how to perform secure search over encrypted data.

Secure Search Over Encrypted Data

What is searchable encryption and how to perform secure search over encrypted data.

Install Acra 1-Click App through DigitalOcean Marketplace

Step-by-step installation and configuration tutorial.

Install Acra 1-Click App through DigitalOcean Marketplace

Step-by-step installation and configuration tutorial.

Acra on DigitalOcean Marketplace

Acra encryption suite is now available as 1-Click App running in a Droplet on DigitalOcean Marketplace.

Acra on DigitalOcean Marketplace

Acra encryption suite is now available as 1-Click App running in a Droplet on DigitalOcean Marketplace.

Building Defence in Depth for Your Data Using Acra

Defence in depth approach to building secure apps explained with the help of Acra encryption suite.

New Themis 0.11.1

Themis v0.11.1 “Diamonds and Rust”: Improvements, Rust-Themis wrapper, Carthage and Maven distribution options.

Building Defence in Depth for Your Data Using Acra

Defence in depth approach to building secure apps explained with the help of Acra encryption suite.

Defense in depth security strategy based on data encryption

Defence in depth approach to building secure apps explained with the help of Acra encryption suite.

New Themis 0.11.1

Themis v0.11.1 “Diamonds and Rust”: Improvements, Rust-Themis wrapper, Carthage and Maven distribution options.

ACRA 0.85.0 LOOKING GLASS

Release notes for Acra 0.85.0

ACRA 0.85.0 LOOKING GLASS

Release notes for Acra 0.85.0

How We Built an SQL Firewall — AcraCensor

Preventing SQL injections is hard: WAF is easy to bypass and a good SQL firewall is hard to find. We ended up building our own open source SQL firewall.

How We Built an SQL Firewall — AcraCensor

Preventing SQL injections is hard: WAF is easy to bypass and a good SQL firewall is hard to find. We ended up building our own open source SQL firewall.

Preventing SQL Injections When WAF’s Not Enough

Using SQL firewall to protect database against SQL injections at scale as compared to WAF.

How to prevent SQL injections when WAF’s not enough

Using SQL firewall to protect database against SQL injections at scale as compared to WAF.

Preventing SQL Injections When WAF’s Not Enough

Using SQL firewall to protect database against SQL injections at scale as compared to WAF.

On Blockchain and GDPR

Blockchain solves several technical challenges. Sadly, while it can be helpful, using it won't make your product automatically secure or GDPR-complaint.

On Blockchain and GDPR

Blockchain solves several technical challenges. Sadly, while it can be helpful, using it won't make your product automatically secure or GDPR-complaint.

Looking Back at 2018 — A Year in Retrospect

Seven releases of Acra, DGAP security consulting and security training services, a whole new Docserver, conference talks all over the world, and much more.

Looking Back at 2018 — A Year in Retrospect

Seven releases of Acra, DGAP security consulting and security training services, a whole new Docserver, conference talks all over the world, and much more.

Thank You for Contributing and Using Themis in 2018

We are extremely grateful to our open-source contributors and for the feedback from select users and want to recognize and celebrate their input in 2018!

Thank You for Contributing and Using Themis in 2018

We are extremely grateful to our open-source contributors and for the feedback from select users and want to recognize and celebrate their input in 2018!

Hiring External Security Team: What You Need to Know

We’ve outlined the main 4 security-related business risks and charted the way to choose the right consulting type to cover them.

Hiring External Security Team: What You Need to Know

We’ve outlined the main 4 security-related business risks and charted the way to choose the right consulting type to cover them.

How to Implement Tracing in a Modern Distributed Application

A story from the trenches of implementing distributed tracing in our Acra data security suite.

How to Implement Tracing in a Modern Distributed Application

A story from the trenches of implementing distributed tracing in our Acra data security suite.

What Do We Really Need to Encrypt. Cheatsheet

What data is sensitive and needs to be encrypted according to data privacy regulations like GDPR, HIPAA, etc.? Our cheatsheet addresses this question.

ACRA 0.84.0 NEW HORIZONS

Release notes for Acra 0.84.0.

ACRA 0.84.0 NEW HORIZONS

Release notes for Acra 0.84.0.

ACRA 0.83.0 RELEASE

Release notes for Acra 0.83.0 release.

ACRA 0.83.0 RELEASE

Release notes for Acra 0.83.0 release.

GDPR for Engineers: Implementing Rights and Security Demands

Mapping data privacy regulation to changes in database structure, updates in DevOps practices, backups, and restricted processing.

GDPR for Engineers: Implementing Rights and Security Demands

Mapping data privacy regulation to changes in database structure, updates in DevOps practices, backups, and restricted processing.

GDPR for software developers: implementing rights and security demands

Mapping data privacy regulation to changes in database structure, updates in DevOps practices, backups, and restricted processing.

Poison Records in Acra – Database Honeypots for Intrusion Detection

Database protection tool for detection of suspicious behaviour created by Cossack Labs

Poison Records in Acra – Database Honeypots for Intrusion Detection

Database protection tool for detection of suspicious behaviour created by Cossack Labs

ACRA 0.82.0 IS OUT!

Cossack Labs Acra 0.82.0 release.

ACRA 0.82.0 IS OUT!

Cossack Labs Acra 0.82.0 release.

Replacing OpenSSL with BoringSSL in a Complex Multi-Platform Layout

Testing the performance of BoringSSL against OpenSSL as used with Themis/Soter

Themis 0.9.5 release

Themis 0.9.5 release

Replacing OpenSSL with Libsodium

Testing the performance of Libsodium against OpenSSL as used with Themis/Soter

This year at Cossack Labs

Bright and full of new 2016 year insensibly came to an end. Sharing the results of our work!

Plugging leaks in Go memory management

Investigating memory leaks can be fun, sometimes. Especially in garbage collected languages with C imports.

Presenting Acra

Take a look at our new product, Acra, database security suite

Replacing OpenSSL with BoringSSL in a Complex Multi-Platform Layout

Testing the performance of BoringSSL against OpenSSL as used with Themis/Soter

Themis 0.9.5 release

Themis 0.9.5 release

Replacing OpenSSL with Libsodium

Testing the performance of Libsodium against OpenSSL as used with Themis/Soter

Auditable Macros in C Code

Our experience in making macros in crypto C code auditable through using customized scripts for preprocessor

Introducing Hermes

Release of the PoC implementation of Hermes — Hermes-core 0.5.1

Themis 0.9.6 release

Themis 0.9.6 release

Happy Holidays from Cossack Labs!

Happy holidays from Cossack Labs

2017 at Cossack Labs

Looking back at the accomplishments of 2017 at Cossack Labs

Releasing Themis 0.10.0

Themis 0.10.0 release

ACRA 0.76 IS OUT NOW!

Cossack Labs Acra 0.76 release

Moving to OpenSSL 1.1.0 — How We Did It

Going through breaking changes and avoiding pitfalls in the process of moving from OpenSSL 1.0.2 to OpenSSL 1.1.0.

ACRA 0.77.0 RELEASE

Cossack Labs Acra 0.77.0 release

ACRA 0.80.0 IS HERE

Cossack Labs Acra 0.80.0 release. The main features of this release are improved uasbility through intuitive renaming of Acra components.

MEET ACRA 0.81.0

Cossack Labs Acra 0.81.0 release.

Social Events of Spring-Summer 2018 for Cossack Labs

IT conferences and meetups visited by the members of Cossack Labs team as speakers, hosts, and participants.

Social Events of Spring-Summer 2018 for Cossack Labs

IT conferences and meetups visited by the members of Cossack Labs team as speakers, hosts, and participants.

MEET ACRA 0.81.0

Cossack Labs Acra 0.81.0 release.

ACRA 0.80.0 IS HERE

Cossack Labs Acra 0.80.0 release. The main features of this release are improved uasbility through intuitive renaming of Acra components.

Reducing Docker Image Size for Acra

We tried a few approaches and found a way to reduce the Docker image sizes for components of our database encryption proxy Acra by roughly 62 times.

How to reduce Docker image size (Example)

We tried a few approaches and found a way to reduce the Docker image sizes for components of our database encryption proxy Acra by roughly 62 times.

ACRA 0.77.0 RELEASE

Cossack Labs Acra 0.77.0 release

Moving to OpenSSL 1.1.0 — How We Did It

Going through breaking changes and avoiding pitfalls in the process of moving from OpenSSL 1.0.2 to OpenSSL 1.1.0.

ACRA 0.76 IS OUT NOW!

Cossack Labs Acra 0.76 release

Releasing Themis 0.10.0

Themis 0.10.0 release

2017 at Cossack Labs

Looking back at the accomplishments of 2017 at Cossack Labs

Happy Holidays from Cossack Labs!

Happy holidays from Cossack Labs

Themis 0.9.6 release

Themis 0.9.6 release

Introducing Hermes

Release of the PoC implementation of Hermes — Hermes-core 0.5.1

Auditable Macros in C Code

Our experience in making macros in crypto C code auditable through using customized scripts for preprocessor

Replacing OpenSSL with Libsodium

Testing the performance of Libsodium against OpenSSL as used with Themis/Soter

Themis 0.9.5 release

Themis 0.9.5 release

Replacing OpenSSL with BoringSSL in a Complex Multi-Platform Layout

Testing the performance of BoringSSL against OpenSSL as used with Themis/Soter

Presenting Acra

Take a look at our new product, Acra, database security suite

Importing with ctypes in Python: fighting overflows

No matter is trivial when you're talking about security. This post explores a pursuit for cleaner link between Themis core C library and a Python wrapper.

Plugging leaks in Go memory management

Investigating memory leaks can be fun, sometimes. Especially in garbage collected languages with C imports.

2016 at Cossack Labs

Bright and full of new 2016 year insensibly came to an end. Sharing the results of our work!

Themis database modules

This post talks about Themis plugins, how to use them and why you even might want to

12 and 1 ideas on how to enhance backend data security

Data in backend security: modern ideas

Themis 0.9.4 release

Themis 0.9.4 release

Why making Internet safe is everyone’s responsibility

You are responsible for safe Internet, dear reader

Backend data security: Key management 101

This article outlines common key management strategy when encrypting data within your backed

Classic Backend Security Design Patterns

Classic backend security design patterns

Zero Knowledge Protocols without magic

Zero Knowledge Protocols without magic

Perimeter security: avoiding disappointment, shame and despair

Perimeter security: avoiding disappointment, shame and despair

Introducing Themis 0.9.3

Introducing Themis 0.9.3

Choose your Android crypto (Infographic)

Infographic on how to hoose crypto when developing Android apps.

Building Sesto, in-browser password manager

Sesto is open-source secret storage tool for the web, good for passwords, keys, etc.

Benchmarking Secure Comparator

Testing Secure Comparator against some realistic use cases.

Crypto in iOS: Choose your destiny (Infographic)

Infographic on how to choose crypto when developing iOS apps.

Building secure end-to-end webchat with Themis

Building end-to-end secure webchat, with discretion and certain degree anonymity, with WebThemis and pythemis on serverside.

Building LibreSSL for PNaCl

This post describes our adventures when building libcrypto from LibreSSL for PNaCl

Introducing Themis Server

Debug your Themis code with friendly interactive server simulator, talking to you over the internet

Building and Using Themis in PNaCl

Using PNaCl forces for stronger web security

What's wrong with Web Cryptography

In-depth discussion of problems with modern JavaScript attempts at building cryptography on the web

WebThemis: proper crypto for modern Web

This post introduces WebThemis: Themis ported to PNaCl (Google Chrome) bitcode library

Fixing Secure Comparator

How we've fixed Secure Comparator after spotting a security vulnerability in it

Introducing Secure Comparator

Secure Comparator is a novel authentication technique we're proposing the cryptographic community to evaluate. It can be used as any id/secret pair authent

Why we need novel authentication schemes?

This is a blog post about different authentication techniques and why they're not enough.

WeakDH/LogJam vs Secure Session

Article outlining principal differences between Diffie-Hellman in Secure Session and SSL/other WeakDH-vulnerable

Armoring ed25519 to meet extended security challenges

How we've modified ed25519 curve to provide additional math for our novel cryptographic primitive

Introducing Themis 0.9.2

Introducing Themis 0.9.2

Why you should avoid SSL for your next application

SSL is huge, inefficient, complex and presents many vulnerabilities. If you can avoid it - you should.

Building encrypted chat service with Themis and mobile websocket example

a short howto on armoring client-server mobile architectures with themis cryptography

Notes on adding cutting edge features

important changes in Themis build architecture, observations on cryptographic validity.

Releasing Themis into public: usability testing

Cossack Labs - We create data security software

Introducing Themis

Cossack Labs - We create data security software