The main concern I've heard from senior security experts that have advised us is about __your__ access. By embedding Sqreen to intercept all web server traffic at the gateway (e.g. WSGI in Python), your solution adds a worry about an attack vector -- if Sqreen itself is compromised, everything about our website is compromised. Or, any general server errors at Sqreen will bring down the entire web application, possibly without warning (web app won't be able to trigger 500s), with no way to remedy except removing Sqreen and re-deploying. That actually happened for us for 12+ hours during the one month we tried out Sqreen.

I think the problem you're addressing is definitely a very real and huge problem. Would love to hear your response to the above.

Re attack vectors: agreed that more code leads to more attack surface, but that's the same rationale with frameworks, other agents (APM, error/log monitoring, etc.) and often less transparent, when running on pre-packaged containers, or even on an appliance (code running on Firewalls / web app firewalls solution can usually not be audited). Our agents are not (yet) open source but are audited regularly by our users.

Sorry to hear about the bug you've hit when you tried Sqreen. Would love to know more directly (PM?) so we can debug it and provide a better experience there. The agents are using a v8 virtual machine to avoid problems of that type (we can’t mess up with the original app logic), so it acts as a sandbox there.

But tell me this: if I buy Sqreen's services, will you guarantee to make my customers (and me) financially whole should you be the source of a compromise?

Will you make us financially whole if we integrate you properly but you don't do your job?

No-one would guarantee that. That would require them to be 100% perfect (never have any bugs) and know about all possible attack types _before_ they happen. That's just not possible. New attack techniques are being invented all the time.

> will you guarantee to make my customers (and me) financially whole should you be the source of a compromise?

while possible, it'd also potentially make them instantly insolvent. Think about all the "damages" and "losses" the music industry claimed from single uploads of ripped CDs. Even if you could get a company to agree to that (not likely) the compromised people are motivated to inflate damages and the people who were the "source" of the compromise would find themselves with the options of litigating you to death for years (cheaper than a payout on inflated "damages") or going bankrupt.

The CSP on your login screen is slightly more restricted, but still allows 102 host/resource combinations through (not counting the host hosting the page itself).

Personally when evaluating a security product I'll check this stuff since if a company does not take proper security measures for themselves then how can I trust them to do it for their clients?

[1]: https://pastebin.com/RvUypSYP

It doesn't need to be perfect, but I think that for a security firm we should be able to do better.

What we spend for the subscription far outweighs what I would have had to spend to implement this. In short, a great investment.

It's fascinating to see our users come up with such interesting solutions!

> Since our app is a bit long in the tooth, we have not had the time or the opportunity to circle back and properly pay off our technical debt

At Sqreen we're very pragmatic and while we'd dream to see everyone be up to date we realise that this cannot realistically be the case - and even futile in face of zero day vulns. Thrilling to see it put to good use :)

How has your experience been going through Y Combinator?

EDIT: I just looked at Crunchbase and it says Sqreen went through an $14M Series A and YC was involved in both seed and Series A rounds (which I'm guessing is why it looks more polished). I'm guessing this is the Series A launch then (?)

[1] https://bitsensor.io/

[2] https://bitsensor.io/product/

I think any product is fine, as long as you have a kind of operational security monitoring in place covering the OWASP A7. Whether it is Apache/Nginx & ModSecurity (comes by default in K8s), Akamai, F5, Sqreen, Imperva... we all strive for that goal.

The goal of these security solutions is to enable developers to be creative, automating the daily chore of mitigation of attacks, and the compliance burden.

When I land on Bitsensor I see a bunch of text so I have to start actually parsing and understanding that text. Everything is very bright and images don't say a lot. When I browse to their product page I see a lot of white space and only a tiny actual product image that is hard to see. The remainder are not product images which make it harder for me to parse how this content is offered to me, which is a big deal when choosing a product.

I've been looking for someone to fill the gap of 'npm audit' and paying auditors for code breaches and monitoring data breaches.

The thing is even if this tool doesn't work in every case this is still likely worth my time integrating it.

Definitely want to see you more involved in contributing back to some of those open source projects you build on like node

Also do you mind saying what network graph library you use? (first gif on home page) Looks like neo4j but unsure, we do Slack network analysis and have been exploring different libraries

Today Sqreen is inbound-driven and the marketing/sales process is focused on the positive of how to make security better and more transparent, rather than attempting to stoke fear or play up the negative side.

We never had to build any dubious ROI calculation. Tech audience usually understands the need for security and we present a technical solution that is transparent and easy to use and deploy.

I feel like having a great network is absolutely essential for these startups - and it sounds like OP does have a great network, so I think they've got a good shot.

Any chance of a self-hosted offering?

And any ETA on when the .NET integration (presumably support for .NET as well as .NET Core?) will be available/in beta?

[1] https://www.sqreen.com/checklists/saas-cto-security-checklis...

FYI, Your Java install example points to a broken link (no version specified)

$ curl https://download.sqreen.com/java/sqreen-.jar -o sqreen.jar

The correct link is 'https://download.sqreen.com/java/sqreen.jar' (thus without the extra '-'.

If we detect that a vulnerability is being triggered we will virtually patch it and send remediation details to developers. We wrote a blog post [1] that explains how we detect these vulnerabilities.

[1] - https://blog.sqreen.com/block-sql-injections-not-customers/

From my understanding: it is a monitoring system that detects malicious activity.

How do they do this? Attackers need to find weaknesses. Where these weaknesses are is a pretty well-known topic. Database calls and I/O processing are weaknesses because if you can manipulate that you have a system compromise. Rendering pages is a weakness because of cross-site scripting issues or cross-site request forgery issues. (Duckduckgo is your friend if I am speaking in an ancient magic language ;-) )

An attacker needs to do some crazy stuff in order to exploit these weaknesses. In a lot of cases you can detect divergent behavior. For example, Let's say that an attacker successfully performs an SQL injection in the username. Then upon processing by the server, it executes an SQL command. This means that the server needs to execute a child process via a system call (system calls are an API exposed by the operating system to do stuff like file I/O or spawning processes and underly all of the I/O functions in any framework that you use). So what you could do is monitor these system calls and do a check on where they come from (you could do many more complicated things, I'm making this up as I write this, e.g. see [1]).

Since this system call has to go through the monitoring, you could detect that this is coming from an HTTP login request, for which database writes are not allowed. On that moment you could halt execution.

I am not saying that this is what they are doing, but upon reading it. It seems this is kind of what they are doing.

Here is a paper on it. It might seem daunting, but it isn't since the paper describes the architecture [1]. The implementation might be more daunting depending on. your familiarity with C.

[1] https://www.cs.vu.nl/~giuffrida/papers/dsn-2016.pdf

- taint user input

- simulate execution

Sounds really cool!

Almost sound like a fun side project tbh.

Seems to be a minor issue on your website when accessed from a mobile device. On my iOS + chrome the pricing page, detailed features tabs all show only the stats for the first (free) tier.

See https://www.contrastsecurity.com/