How Sqreen works


Introduction to app security monitoring

The Sqreen agent is installed in your application. Installing the Sqreen agent is not more difficult than installing any other dependency in your application. Your traffic is not redirected, and no network latency is introduced by the protection.

Once your application is using Sqreen, the incoming HTTP requests are inspected against malicious activity, as well as execution flows performed by your application. Critical file/network accesses, commands executed by your app, SQL/NoSQL queries are analysed to ensure that no vulnerability is triggered. Suspicious user activities are also monitored at authentication layer.

Stack traces are provided to help you fix the code directly. As dev, sec or ops people, you will no longer struggle to investigate breaches afterward.

When attacks are identified, they are blocked and you get notified when security events require immediate action on your side. With Sqreen, you can quickly remediate to security problems before attackers breach your application.

ruby-instrumentation2x-png.png

Block attacks before being breached (and fix your code)

incident-view.png

Sqreen security plugins prevent vulnerabilities and blocks attacks in real time and provides actionable information to help you mitigate attacks before they happen.

Sqreen's user interface provides both current and historical information about attacks, peaks of security exceptions, injection attempts (code, commands, and databases), and user accounts involved in the attacks.

User protection is also provided against account takeover attacks, brute force, and suspicious activity.

Use the Overview page to quickly examine the security status of your web application. For example:

  • Sqreen Incidents provide information that requires action on your side. They are sent directly by email, Slack notification, or any other integration you set up.
  • User activity provides a sneak peek of users attacking your application, those at risk, and suspicious activity.
  • Package monitoring keeps you up-to-date about vulnerabilities discovered in your app third-party dependencies.

Communication with Sqreen

The Sqreen agent communicates with the Sqreen Cloud via HTTPS. Sqreen's protection and monitoring are provided directly in your application and doesn't redirect your traffic.

The kind of data sent to Sqreen depends on the plugins you've enabled in your applications. You can visit the Security Hub to learn more about each plugins data policy.

Regardless of the plugins, the agents are collecting the number of requests processed along with their HTTP status codes.

The Sqreen agent requires your firewall to allow outgoing connections to back.sqreen.io with port 443 (HTTPS).

word-image-3.jpeg

Resiliency - What if Sqreen is experiencing a downtime?

Sqreen has been built with resiliency in mind. The agents are not dependent of Sqreen servers and will continue to run normally in case of network issues. Security events will be flushed as soon as the connection is back. No synchronous calls are performed.

For any reason, if Sqreen servers are experiencing unexpected latency, this will not affect your application performance.

Collective Intelligence

The technical information about the attacks is sent to Sqreen Cloud for further analysis. The Sqreen community helps us make the protection stronger. Sqreen is continuously identifying and blocking new potential threats to provide the best protection.

PII scrubbing

Each time the Sqreen agents send data to the Sqreen BackEnd, the data will be filtered to remove any potential leak of Personal Identifiable Information (PII). This behavior can be deactivated in the local configuration of the agent, but we don't recommend it. Refer to the advanced configuration section for your technology to learn more.

The following data will be scrubbed when filtering is enabled:

  • Values that look like they contain credit cards (using a basic regular expression)
  • Keys that contain any of the following values:
    • password
    • secret
    • passwd
    • authorization
    • api_key
    • apikey
    • access_token