The hurdles of managing cryptographic keys at an enterprise level. A deep dive into the maintenance challenges of HSMs and the advantages of Key Management solutions. — This post is focused on the most important components that play a role in the key management lifecycle: Hardware Security Modules (HSMs) and Key Management Services (KMSs). I start by giving a very short introduction of what is cryptographic key management and what does the key management lifecycle entails. …

An honest introduction to the Security Engineer career path — Introduction This blog gives an introduction to the Security Engineer career profile by stating some general facts about Security Engineers. If you work closely with a security engineer everyday, perhaps you’ll find some funny facts in this blog post that you can relate to and may help you understand how we…

Analysis of the INE/Cloudflare case where the Portuguese DPA order suspension of data transfers to the USA according the Schrems II ruling and reasoning about general implications for SaaS solutions. — In this post I analyse the recent INE/Cloudflare case according to Schrems II ruling, where the Portuguese DPA ordered suspension of all transfers of Portuguese census data to the USA. I then abstract the architecture pattern inherent to INE/Cloudflare situation and reason about possible implications for non-EEA SaaS in the…

Bring your own key (BYOK) is a marketing feature available in most of the public cloud providers to enable the customers to use encryption keys generated by the customer. — In this blog post I address Bring Your Own Key (BYOK) and the concept of (cryptographic) key control. I start by first giving a high-level overview of what BYOK feature entails and then why it is important for organisations to control the encryption keys that are used to protect the…

We thought we solved the problem, but it seems we just have created a new one. This post addresses the concerns related with remote (digital) signature services in the context of the eIDAS regulation. I start by introducing the concept of digital signatures and their requirements within the context of…

This blog post addresses the impact of Schrems II in organisations within the European Economic Area (EEA) that host their services in public cloud services (owned by companies that are not part of EEA). In particular, I address the impact of EEA organisations that host their services in Microsoft Azure…

Yes, some aspects of software security are slowly improving. But, the more accurate answer is: there is still a lot to be done. — What does this yes mean then? That you are spending your efforts in the right way? That applications are getting safer? Let’s see what kind of things have improved and what’s still missing. What has been actually improving? #1 Active usage of secure connections Applications do rely more and more on secure connections, including internal network communications (which was not the…

Making sense of the GDPR as a software engineer (and social human being) Article 25 of the General Data Protection Regulation (GDPR) addresses data protection by design and by default as a general obligation for data processors and controllers. From a software engineer’s perspective, it is really challenging to distill…

9 best practices to make your software security future proof — How maintainable is the security of your (web) application? Maintainable security. This topic that has been floating in my mind for a long time. Information security is the hot topic of the moment, either because the GDPR demands it as prerequisite for privacy enforcement or because people are becoming more and more aware of its importance. The trust people…