This month marks the 5 year anniversary of my co-founder Jb and I starting Sqreen. It’s been an incredible journey so far (have a look at just a few of the highlights), and milestones like this serve as a good opportunity to take stock, celebrate what the team has built together, and look into the future.
Sqreen was born out of my and Jb’s experiences on the Red Team at Apple. As a small team in the single digits, we worked with thousands of the finest developers in the world, but despite this technical talent, we uncovered hundreds of vulnerabilities, and couldn’t possibly scale to keep up. Clearly, something was broken with application security, and we set out to solve it.
Today, I’m proud to say that Sqreen has a team of 70+ people, with over 800 companies protected. As part of our Application Security Management (ASM) platform, we have built agents – across six development languages – that process millions of security signals every day to identify and protect against bad actors. It’s been so incredible to see what the team has been able to accomplish in the past five years, alongside our customers and partners.
How did we get here?
The underlying mission of Sqreen has always been to democratize security. We believe this mission is critical, because application security, from how it’s approached to the technologies themselves, is broken.
Security is treated as a black box. Everything has been kept opaque — the technology, the products, and even the pricing. Nothing is self-serve. Nothing is transparent. Everything is fear-based. This approach makes it confusing, hard to understand, and hard to properly evaluate.
Technologically, application security approaches have hit a wall. Over the past decades, applications have become increasingly central to business functions and much more complex. Yet, we’re still trying to protect them from a single layer. Traditional approaches only leverage data at one layer: code without execution context, or network data without code context. Because of this, WAFs, security scanners, and edge-based approaches can’t scale and can’t deliver the full context of vulnerabilities, leading to more false positives, incomplete protection, and less visibility.
The proof that application security is stuck is easy to spot. Six of the OWASP Top 10 vulnerabilities from 2017 are carryovers from the 2004 list. In that time, new frameworks, ORMs, and more have been introduced that in theory can solve most of these issues. Yet, despite all these mitigations, the “old” bugs are still the ones that bring us down time and time again.
On top of the classic bugs, new security logic bugs are appearing as we write more complicated code, alongside entire new areas of vulnerabilities: service-to-service threats, a more dynamic attack surface with serverless and microservices, and more threats on the client side.
So what’s the key to dealing with both old and new vulnerabilities? Richer and deeper context. Securing applications requires context regarding user behaviour and intent, the network, and in-app code and execution.
The future of security
The future of application security is holistic. To protect applications, we must be able to connect vulnerabilities to attacks, code to data, and the pre-deployment environment to the post-deployment environment. With this connected context, we can create a consistent, end-to-end security story that brings value to all of the key stakeholders — security, ops, and engineering.
Sqreen delivers this multi-layered context through Security Signals. Sqreen’s platform leverages 500+ instrumentation points across user, network, and, crucially, in-app layers, in real time. By having context across multiple layers, including the app layer, our platform is able to aggregate these security signals to deliver a holistic view of an application’s security risk that is richer and more precise than traditional approaches.
At Sqreen, we’re furthering the ASM vision in three areas:
Protect: We’re expanding our industry leading coverage to include more threats, with a unique Sqreen approach that automatically leverages the data and context at three different levels of depth: user context, network, and runtime.
Observe: To increase your visibility and deliver actionable insights, our in-app agents collect deep security signals such as stacktraces, code exceptions, logs, security errors, and bad actors’ requests, and surface them to you. Armed with this rich context, you can own your security logic.
Test: Security signals are incredibly powerful, but they have one limitation: they come from security events within your application, which may not be evenly distributed or consistent. This is why we’re introducing the third pillar of Sqreen: Sqreen Test. Sqreen Test leverages your post-deployment traffic and environment and lets you test your code pre-deployment, so you can connect these contexts to identify the vulnerabilities that matter without false positives.
Creating a common security story
Today, Sqreen’s ASM platform is helping more than 800 organizations protect, observe, and test their applications, APIs, and microservices. By leveraging in-depth security signals to create a common security story across actors, network, and applications that is useful to all teams, we can truly move application security into the future. Thank you to all Sqreeners, our customers, and our partners. Here’s to the next 5 years!