SSRF protection now available in Java

The SSRF RASP protection is now available in Java!

This bring the compatible technologies to Node.js, Go, Python and Java.

To enable it, all you need to do is to toggle it on from your dashboard.

To learn more about SSRF and how our RASP protection work, you can check out our resources here.

Account settings update

We have added new account settings to your dashboard. You can now:

  • Add new authentication methods to your account: GitHub, Google and password/email.
  • Delete your account
  • Invite users that have already created an account to your organization.

Cheers!

New design for the agent blocking page

We have updated the design of the default agent blocking page and made it clearer that users cannot access Sqreen’s customer web application.

Screenshot 2020-06-30 at 18.42.11.png

Whenever Sqreen tags a given request as malicious or when the requesting IP or user account has been flagged, the Sqreen agent will send back an error page. The main goal of this page is to inform the end users that they have been blocked and cannot access the requested page. The previous version of the page could be confusing to users, and in some cases they tried to sign up for Sqreen to get unblocked.

The new design is now available in the latest version of the Node.js, Go, and Python agents. It is coming to the other agents by 17th June!

Note: this change is only for our default blocking page. You can still redirect to a custom page in Settings if you wish.

Get a holistic view of your system

We have improved the Security Flow Map!

Moving forward, it will feature all application and service communications, enabling you to get a holistic view of your system.

Screenshot_2020-06-30_at_20.54.14.png

Improvements include:

  • visualizing HTTP communications, either internally, or externally with third-party services;
  • support for new database nodes, such as Redis.

These improvements will let you identify apps without a Sqreen agent, and stay better informed about the changes happening in your infrastructure.

Agent compatibility

To make full use of the new flow map, you will need a compatible Sqreen agent version:

  • The Node.js agent version supports the improved flowmap, starting with version 1.45.0;
  • Support for other technologies will be rolled out progressively, over the next month. Stay tuned.

Sqreen Test Beta open in Node.js

Today we are excited to release Sqreen Test to every Node.js applications.

Sqreen Test enables teams to automatically stress the security of an app during its development, by running on-demand security testing sessions.

No extra installation needed, no exhaustive configuration to write, Sqreen Test leverages an advanced in-app fuzzing engine and automated triage techniques to help unveil vulnerabilities.

Proactively finding (no)SQLi or XSS is now just 1-click away!

Screenshot of Sqreen Testing

Sqreen Test is presently in beta and we are actively looking for design partners. Please consider helping us by giving it a try and contributing your feedback.

Making our product more inclusive

Recent events have shown that, more than ever, diversity is important. Sqreen culture values tolerance and we want to democratize security for everyone. That's why we've decided to ban the terms "blacklist" and "whitelist". Moving forward, we will use "denylist" and "passlist" as a better alternative.

Remap your applications

Following up the introduction of custom environments, the same application deployed in multiple environments will now appear as one on your Sqreen dashboard.

As a seasoned Sqreen user, you might deal with one application per environment, versus one entity with multiple environments as allowed by this product release. For example, you might have "backend_production" and "backend_dev". But in reality, they are the same "backend" application.

To make them appear as one, we are introducing a migration tool.

Animated example of how to use the remapping tool

This tool lets you remap applications in different environments under the same application. Out-of-the-box, the wizard will do its best to suggest the new structure based on naming conventions in use. You can also moves them around manually to get the proper structure.

Screenshot of application selector

To get started, click on the message in the Application selector, or go to https://my.sqreen.com/mapping-applications

We'd love your feedback on all this!

Customizable application access when a team member joins (RBAC)

We just added a new way to make sure all the new members of your organization get access to the right applications.

If you head to your profile > Team members you are now able to configure a list of accessible applications any new members will have access to.

Screen Shot 2020-06-09 at 10.48.27 AM.png

Screen Shot 2020-06-23 at 10.31.20 AM.png

Any new invited users will now have access by default to the applications configured here.

Note: this feature is only accessible to users with Role Base Access Control feature.

We're refreshing our documentation!

We thrive to turn a complex topic - app security - and technologies - RASP, In-App WAF, dynamic instrumentation, etc - into a simple product, we believe documentation plays a fundamental role into explaining transparently how things work.

We started a refreshment project of our docs and are excited to announce the 1st of many releases today!

It features a brand new How It Works, brief & in-depth along with a refreshed Protection section!

Enjoy the reading! 📚

We'd love to hear your feedback about all this.

Important change to environments and tokens

Today we are introducing an important change to the way you connect and manage your applications with Sqreen.

Using Sqreen at all stages of your development lifecycle

Until now, you could categorize your applications in 3 stages: development, staging and production. This is useful when you have security alerts and need focus on the most important ones first.

But for some of our customers, it wasn't matching their development lifecycle. This could lead some organizations to only use Sqreen in production. Yet it can be valuable to do it at all stages of the development. Covering all the steps of the development is critical to catch security issues early, regardless of how many steps they are.

That's why were are introducing some changes to the way environments work:

  • You can now customize environments. You can create, remove, rename environments to fit your needs. The only exception being "production", which can not be changed.
  • Environments come with dedicated tokens. When connecting a new application with one of these tokens, it will be restricted to the predefined environment. This ensures that a development token can not be used to connect a production application. Your organization will get 3 new tokens by default. One for production, one for staging, one for development. Connecting your applications to Sqreen with these tokens is now the preferred method.

This change has no impact on your existing applications. Existing tokens still work. New ones will be tied to the environment they were generated for.

Screenshot of environments and tokens management

To manage your environments and associated tokens, go to Organization settings, then Environments & Tokens. For organizations with role-based access control, this feature is only available for admins.