Hacker News new | ask | show | jobs
by paulb81 2450 days ago
[I work at Sqreen]

We try to provide a “dev-tool" approach to security: free trial, simple install and dev-friendly install, no need to configure the tool for hours before getting any value, etc. I would recommend just to give it a trial.

I'm biased, but our customers love us. We serve both developers without time to handle security and large security teams. For the latter, we often see collaboration between developers and security teams.

Maybe some of the HN comments on our Launch HN will give a less biased view: https://news.ycombinator.com/item?id=20215483
1 comments
tmd83 2450 days ago
Thanks for the HN link, that's what I looked for but somehow algolia wasn't giving me the result at the time.

Two points about a potential trial. 1) Since it's a runtime tool to actually see what it can detect I assume I will actually have to generate some attacks myself to actually see it in affect? It also makes false positive testing a little harder.

The reporting and such is on the cloud I presume? Are there some documentation on what happens at the agent level and what gets send to the cloud?

link
paulb81 2450 days ago
1) If your app has decent traffic it will be attacked. But we also describe how to scan your app with Arachni on our docs: https://docs.sqreen.com/using-sqreen/how-can-i-test-sqreen-d... False positives on our RASP module are very rare. Most of our customers use it in blocking mode in production. How we do it? By using the application context. Our detection is done in-app. It's based on parsers that tokenize the query and detect injections when the user input changes the structure of the query. More details on our detection rules [1] and more details on how we do dynamic instrumentation [2]

2) It’s on the cloud [AWS]. But our agent doesn’t redirect your traffic or collect sensitive data. We scrub the data inside your agent before sending it to our servers (just like Sentry or New Relic). You can also customize this behavior. [3]

[1] https://blog.sqreen.com/block-sql-injections-not-customers/ [2] https://blog.sqreen.com/building-a-dynamic-instrumentation-a... (you also have articles for other technologies) [3] https://docs.sqreen.com/guides/how-sqreen-works/#pii-scrubbi...

link