We're refreshing our documentation!

We thrive to turn a complex topic - app security - and technologies - RASP, In-App WAF, dynamic instrumentation, etc - into a simple product, we believe documentation plays a fundamental role into explaining transparently how things work.

We started a refreshment project of our docs and are excited to announce the 1st of many releases today!

It features a brand new How It Works, brief & in-depth along with a refreshed Protection section!

Enjoy the reading! πŸ“š

We'd love to hear your feedback about all this.

Important change to environments and tokens

Today we are introducing an important change to the way you connect and manage your applications with Sqreen.

Using Sqreen at all stages of your development lifecycle

Until now, you could categorize your applications in 3 stages: development, staging and production. This is useful when you have security alerts and need focus on the most important ones first.

But for some of our customers, it wasn't matching their development lifecycle. This could lead some organizations to only use Sqreen in production. Yet it can be valuable to do it at all stages of the development. Covering all the steps of the development is critical to catch security issues early, regardless of how many steps they are.

That's why were are introducing some changes to the way environments work:

  • You can now customize environments. You can create, remove, rename environments to fit your needs. The only exception being "production", which can not be changed.
  • Environments come with dedicated tokens. When connecting a new application with one of these tokens, it will be restricted to the predefined environment. This ensures that a development token can not be used to connect a production application. Your organization will get 3 new tokens by default. One for production, one for staging, one for development. Connecting your applications to Sqreen with these tokens is now the preferred method.

This change has no impact on your existing applications. Existing tokens still work. New ones will be tied to the environment they were generated for.

Screenshot of environments and tokens management

To manage your environments and associated tokens, go to Organization settings, then Environments & Tokens. For organizations with role-based access control, this feature is only available for admins.

Logging in to Sqreen just got easier

We just enabled the possibility to login to Sqreen using Google/Github SSO. No matter if you are a new user or an existing one, your dashboard is now only one-click away.

Just go to your settings and activate the SSO option you want. Your account and password remain valid and usable after the SSO activation.

Screen Shot 2020-05-05 at 11.02.31.png

Navigating through your applications made easier

New application navigation

As you monitor and protect more applications with Sqreen, it can be harder to navigate through a long list. Today, we are happy to share with you an updated navigation that keeps your applications organized and easier to browse!

Here's what we improved:

  • πŸ“Applications are now grouped and sorted by name. It's easier to track them across development, staging and production. To group applications that are in different environment, simply give them the same name. We're also working on a way to rename multiple applications at once, so stay tuned!
  • πŸ”This list is now searchable. You no longer need to scroll, scroll, scroll.
  • πŸ§˜β€β™€οΈWe reduced the noise. The top-level badge displays only the incident count for production apps. Of course, the number of incidents for staging and development is still available at the second level.

App Inventory: predefined searches updates

We've just updated the predefined searches in the App Inventory leveraging the latest fields released and the top use-cases based on your usage.

It should be clearer and more actionable to you.

Using custom searches, you can save your favorite ones to access them in 1-click.

(Review)[https://my.sqreen.com/app-inventory/table]

Improved user onboarding with SSO

Introducing a new option for organizations using role-based access control (RBAC) and single sign-on (SSO).

In the team member section, it is now possible to enable the default access level for new SSO users:

  • have access to all apps by default,
  • have access to no apps by default.

https://sqreen-assets.s3-eu-west-1.amazonaws.com/miscellaneous/sso_rbac_changelog.png

This can help reduce friction for new users and let them be productive as soon as possible.

You can still further restrict new user access levels after the sign-up.

The change does not impact manually invited users - you can still specify their access levels granularly.

The default behavior remains unchanged:

  • organizations without RBAC will default to allowing access to all apps, and
  • organizations with RBAC will default to allowing access to no apps.

Sort results in the App Inventory

The App Inventory lets you filter all your applications to see the ones you should focus on. To help you make sense of search results, we've added the possibility to sort them.

Sorting works very well for many use cases. Want to know which applications have the most incidents ⚠️ or the most vulnerable packages πŸ›? Click on the column to sort from smaller to larger values πŸ”Ό or the opposite πŸ”½.

New Blocked actors page

We've just released a new Blocked actors page which should make things easier for displaying and filtering!

  • New improved UI to display Blocked actors
  • A new list of filters and sort parameters to help you search and visualize your blocked actors
  • Possibility to extend or unblock actors by batches using filters

RASP Protection for SSRF in Node.js and Python

Sqreen is now able to protect against First Order Server Side Request Forgery!

Specifically, the new RASP module protect against malicious URL trying to access sensitive resources in your network. To learn more about this vulnerability, you can check out the OWASP's SSRF Cheatsheet.

You can try out this protection by clicking here!

This version of the protection won't track through redirections or DNS rebinding but we're working toward addressing this limitation.

Configure your In-App WAF using presets

https://my.sqreen.com/application/goto/modules/waf

Use the Recommended preset to cover yourself without false positives! The Strict preset provides the highest coverage while very likely introducing false positives.

global preset.png

If you'd prefer, you can still configure your In-App WAF your own way, and the preset will automatically be set to Manual.