Configure your email notifications

As we grow, our security coverage keeps expanding. It led to Sqreen sending more and more notifications.

While we keep working hard to keep the signal/noise ratio to the lowest level, by designing, testing and improving our heuristics, we also understand sometimes you know best what's relevant to you.

Today, we're releasing new settings enabling you to configure which alerts you want to receive over email. You can now (un)subscribe from any type of incidents, for all applications.

In a future release, we'll enable you to do the same with Slack.

Content Security Policy (CSP): a better management flow

Setting up and maintaining a working Content Security Policy (CSP) is hard.

We introduced a very interactive way to manage it, by collecting the violation reports and suggesting domains to add in the policy.

Today, we're releasing some improvements to make your life even easier managing it:

  • Manually add entries in your policy. Sometimes, it's the easiest path.
  • Monitor violations going over a threshold. This comes in addition to our existing detection of the unusual volume of violations.
  • Overall UX improvements.

Those improvements follow all the great feedback you've shared with us, along with our own experience setting up a CSP on the Sqreen Dashboard

An improved weekly email digest

Pursuing the effort we started with the Slack daily digest a few weeks back, we’ve improved the email weekly report.

What’s new in there? First of all, your email weekly digest is now about what’s going on in your organization versus application per application. Hopefully, it’s making things easier for you to digest!

Also, it now features all the new things we added in our product over the past months: application security risk, organization token, etc.

Last, but not least: it’s now fully responsive!

All in all, we hope that this new format will help you keep an eye on what’s going on your application’s security, on the go!

A brand new Slack daily digest

Like many organizations, you might use Slack to stay on top of your application security activity in Sqreen. Each day, Sqreen sends out a Slack digest of the security activity in your applications.

Today, we’re happy to release a brand new version of our Slack alerts digest. The new digest is more aligned with the state of our product today, which has evolved a lot since we released the original digest.

The notable change is that the digest is more relevant and streamlined. It’s organized around what happened in your organization at a high level rather than giving a full detailed recap on every application.

To further reduce the number of unnecessary alerts, the daily digest will only go out if there has been meaningful security activity to report (such as incidents, security weaknesses, or organization highlights).

We hope you’ll love this new, more digestible digest! Please send any feedback our way

Discover your applications' security weaknesses

Few weeks ago, we released a very first iteration of the Application Security Risk details view.

While showing the mitigations Sqreen recommends to tackle the security weaknesses detected was great, it wasn't the best way to explore them.

This new iteration focuses on the weaknesses first which hopefully should help you understand what is wrong, and takes action.

As usual, we're eager to hear your feedback!

A fresh look for the Monitoring overview

We improved the layout and overall look'n'feel of the Monitoring overview.

We're featuring the Application Security Risk, our latest addition so you can get the true gist of each app security at a glance.

The apps' stats (monitored requests, blocked attacks, malicious requests) are also back after having vanished for a couple of week.

RASP: XXE in PHP Protection

XML External Entity (XXE) is a vulnerability impacting apps processing XML documents.

The vulnerability triggers when the XML input contains a reference to a malicious external entity because of a weakly configured XML parser. It may lead to data disclosure, denial of service, etc.

The OWASP 2017 Top Ten classifies this vulnerability as A4.

This protection is available to all PHP applications.

Export compromised accounts

Protecting your users’ data and identity should be as critical as protecting your own data and business.

When your users are breached on other websites - probably not protected by Sqreen, it can often lead to them being easy targets on your own site, thanks to password reuse and such factors.

The best way to defend against this is to monitor such attacks using our built-in security module.

In the event that some of your users get compromised, you can now export the list and contact them ASAP or block their account until they have a chance to recover it.

This is only the first step. Our goal is to help you automate this process.

Review a demo ATO incident

Deep dive into your app security risk

Back at the end of last year, we introduced the notion of application security risk.

The risk rating, combined with the security flow map, has been designed to help you overview and prioritize where your focus and energy should better be spent, so you can prioritize where your focus and energy should be spent.

Now, you can review in details what made Sqreen think a given application is risky or not, and use these insights to mitigate some of the most critical risks.

We'll iterate a lot on this part in the coming weeks! Your feedback are more than welcome, as, as you’ll help us take this feature in the right direction.

Discover my apps' security risk https://my.sqreen.com/application/goto/application-risk

One token to rule them all

Up until now, deploying Sqreen on many applications was a tedious process. Basically, you needed to manually create the application from your dashboard and use a unique application token.

Meet the organization token! Using organization-based tokens, it's now 100 times easier to deploy Sqreen at scale. Just re-use the same token for all your applications and give them each a unique name.

For now, our Ruby, Node.js, and Go agents support organization tokens. PHP is coming up this week, and Python and Java are coming up next!

Obviously, the application token remains fully supported. When you feel ready to migrate, just fetch the token and update your app's configuration. Also, you can manage multiple tokens, if you want to segment deeper.

Fetch my organization token https://my.sqreen.com/profile/organization/tokens