How Sqreen works¶ Introduction to app security monitoring¶ The Sqreen agent is installed in your application. Installing the Sqreen agent is not more difficult than installing any other dependency in your application. Your traffic is not redirected, and no network latency is introduced by the protection. Once your application is using Sqreen, the incoming HTTP requests are inspected against malicious activity, as well as execution flows performed by your application. Critical file/network accesses, commands executed by your app, SQL/NoSQL queries are checked to ensure that no attack is triggered. Suspicious user activities are also monitored at authentication layer. Stack traces are provided to help you fix the code directly. Your dev, sec and ops teams will no longer struggle to investigate breaches afterward. When attacks are identified, they are blocked and you get notified when security events require immediate action(s) on your side. With Sqreen, you can quickly remediate to security problems before attackers breach your application. Block attacks before being breached (and fix your code)¶ Sqreen blocks attacks in real time and provides actionable information to help you mitigate attacks before they happen. Sqreen's user interface provides both current and historical information about attacks, peaks of security exceptions, injection attempts (code, commands, and databases), and user accounts involved in the attacks. User protection is also provided against account takeover attacks, brute force, and suspicious activity. Use the Overview page to quickly examine the security status of your web application. For example: Sqreen Pulses provide information that requires action on your side. They are sent directly by email, Slack notification, or any other integration you set up. User activity provides a sneak peek of users attacking your application, those at risk, and suspicious activity. Package monitoring keeps you up-to-date about vulnerabilities discovered in third-party dependencies running on your web servers. Communication with Sqreen¶ The Sqreen agent communicates with the Sqreen Cloud via HTTPs. Sqreen's protection and monitoring are provided directly in your application and doesn't redirect your traffic. On a regular basis, the following statistics are sent to Sqreen in order to monitor security events within the applications: Number of requests processed with corresponding HTTP return codes Number of events within the applications, such as file accesses count, number of database queries protections or number command executed When User Context is set up, the following authentication information are sent in order to detect users at risk or users attacking your application: Login identifier (usually email, username or token) Source IP Date/Time When attacks are performed against the application (only under attacks) the following information are sent: Responsible URL HTTP headers (stripped from sensitive info and session ID) Back trace of the event in the application In case of SQL injection: the specific SQL queries responsible of the injection In case of cross-site scripting attack: the specific content responsible for the XSS attack The Sqreen agent requires your firewall to allow outgoing connections to the following hosts and ports: Hosts back.sqreen.io Ports TCP 443 Resiliency - What if Sqreen is experiencing a downtime? Sqreen has been built with resiliency in mind. The agents are not dependent of Sqreen servers and will continue to run normally in case of network issues. Security events will be flushed as soon as the connection is back. No synchronous calls are performed. For any reason, if Sqreen servers are experiencing unexpected latency, this will not affect your application performance. Collective Intelligence¶ The technical information about the attacks is sent to Sqreen Cloud for further analysis. The Sqreen community helps us make the protection stronger. Sqreen is continuously identifying and blocking new potential threats to provide the best protection.