1) If your app has decent traffic it will be attacked. But we also describe how to scan your app with Arachni on our docs: https://docs.sqreen.com/using-sqreen/how-can-i-test-sqreen-d...
False positives on our RASP module are very rare. Most of our customers use it in blocking mode in production.
How we do it? By using the application context. Our detection is done in-app. It's based on parsers that tokenize the query and detect injections when the user input changes the structure of the query.
More details on our detection rules [1] and more details on how we do dynamic instrumentation [2]
2) It’s on the cloud [AWS]. But our agent doesn’t redirect your traffic or collect sensitive data. We scrub the data inside your agent before sending it to our servers (just like Sentry or New Relic). You can also customize this behavior. [3]
We try to provide a “dev-tool" approach to security: free trial, simple install and dev-friendly install, no need to configure the tool for hours before getting any value, etc.
I would recommend just to give it a trial.
I'm biased, but our customers love us. We serve both developers without time to handle security and large security teams. For the latter, we often see collaboration between developers and security teams.
As our team is growing, having to bring cookies for a larger group can be a lot. Also, you're a bit less inclined if this happens to you two days in a row...
(message for Tyler: we're still waiting on those cookies)
At Sqreen, we love SaaS! We especially love making SaaS companies more secure :-)
The SaaS Security 1000, is a security overview of the world's fastest growing SaaS companies. We run a few basic security checks to identify network and application security issues.
No SaaS business has been harmed during that experiment ;-) (information gathered with fully passive & non-intrusive tests)
I feel Heavybit offers some great resources (even if you're not selling to a technical audience). I really recommend you to check it out https://www.heavybit.com/library/
Unfortunately, startups don't have this kind of resources (CIO/CISO etc.). What we see is that security is often handled by CTOs in Seed/SeriesA startups.
I worked on this checklist and your feedback is very appreciated.
You're right on all your points from a pure security point of view. We should be doing security as soon as possible. Unfortunately, the reality of building a startup is about finding product-market-fit. Entrepreneurs are not incentivized to do security early on. The fear strategy our industry is using for the last XX years has failed.
As security professionals, we need to help entrepreneurs and educate developers find a good balance between building a business and building good security practices. This is the goal of this checklist.
We can't expect developers to spend days implementing security best practices before even having a business.
2) It’s on the cloud [AWS]. But our agent doesn’t redirect your traffic or collect sensitive data. We scrub the data inside your agent before sending it to our servers (just like Sentry or New Relic). You can also customize this behavior. [3]
[1] https://blog.sqreen.com/block-sql-injections-not-customers/ [2] https://blog.sqreen.com/building-a-dynamic-instrumentation-a... (you also have articles for other technologies) [3] https://docs.sqreen.com/guides/how-sqreen-works/#pii-scrubbi...