Security in depth: introducing In-App WAF and App Inventory

Today is Demo Day at Sqreen, and we’ve rolled out several exciting new features. But before we get into those, I wanted to take a step back and look at why application security needs attention and why the status quo is nowhere near good enough.

Software is central to the course of business today. While the capabilities of new software have unlocked fantastic possibilities, the race to secure and protect that software has lagged far behind. The status quo today is a piecemeal mix of unscalable, expensive, and ineffective efforts: secure coding practices, code reviews, security testing that slows development, periodic vulnerability scans and pentests, and protections solely at the edge. 

Software teams continue to accelerate their release cycles, move to complex distributed systems and microservices, and deploy apps at internet-scale. Without robust application security that can keep up, attackers will continue to target applications, and put customer data at risk.

At Sqreen, our mission is to make security transparent and accessible to everyone. Security must fit the needs of modern organizations, and empower security teams to work closely with developers to protect and secure applications. Our aim is to build a platform to help make that a reality. 

To date, Sqreen has built the industry’s first Application Security Management (ASM) platform, which leverages microagents embedded in web applications to identify and automatically protect against threats in real time. It’s a single platform for security and developer teams to scale their security without impacting velocity. Today, we’re introducing new layers of protection and visibility to our ASM platform: In-App WAF and App Inventory. 

Adding another layer of protection: introducing In-App WAF

Security is made stronger with multiple layers of protection. To continue up-leveling your ability to protect your applications, we’re introducing In-App WAF

Web application firewalls (WAFs) have been around for a long time now. The promise of a WAF is to protect production applications against attacks. However, the world is changing: development cycles are faster, infrastructure is more complex, and applications themselves do more. WAF technology, the idea of putting a moat around the outside of applications, can’t keep up in this environment. 

Traditional WAF solutions have a range of issues when it comes to today’s application environments. They are complex to deploy and install, slow, painful to maintain with high false positive rates, unable to provide zero-day coverage, and have real privacy concerns, among other issues. 

So if WAFs aren’t able to cut it anymore, why is Sqreen releasing one? Well the fundamental issue with WAFs isn’t so much their security philosophy of checking traffic against known attack patterns and rulesets, but rather where they do it: at the network level. Most of the problems above come from WAFs sitting outside of the application on the edge. Sqreen’s In-App WAF is different; it sits inside your application. As such, Sqreen leverages your full application context to offer an out-of-the-box, cloud-native WAF that’s fail-safe, has limited false positives, and won’t require heavy fine-tuning or maintenance.

What sitting inside the application means for a WAF

Sqreen is able to offer a WAF with these benefits because of where it’s deployed. By sitting inside your app, Sqreen knows your stack and only picks the rules tailored for your app. it doesn’t make sense to protect your Java application against PHP unserialization attacks, for example. By default, Sqreen only enables rules with a low false positive rates by verifying false positive rates of all rules across our global network of applications. Obvious false positives are automatically detected and disabled by Sqreen. Additional rules triggering false positives can be easily found by the user and disabled in a central dashboard.

By sitting inside the application, Sqreen is able to offer a WAF with these benefits: 

  • Easy deploy: automatic rule detection based on CRS means you can get started in under 5 minutes
  • No traffic redirection
  • Limited false positives
  • No configuration or fine-tuning required
  • Manageable by security, operations, or developers 
  • The ability to link attacks to logged-in users inside an app
  • Sensitive data scrubbing inside the app
  • No backend processing or learning phase

In-App WAF is an exciting addition to Sqreen’s ASM platform. A major part of our ASM platform, our RASP, is the most widely deployed RASP solution in the world, but no security solution is magic. Security is about defense-in-depth — adding additional layers of protection to reduce risks. With the addition of In-App WAF, we’re adding another layer, and making it easy to deploy and customize within a single platform. If you’re a Sqreen user, you can check out In-App WAF in your dashboard. If you want to try the In-App WAF and Sqreen for yourself, you can sign up for a free trial

App Inventory, the catalog of application assets

Adding more levels of protection is essential, but how can you secure what you can’t see? A major challenge with protecting applications is a basic one: what applications do you even have out there, and what are they composed of? With security teams often severely outnumbered by engineers, they struggle to get visibility into what applications are deployed, recently updated, or accessible to outside users. Trying to gather this information manually by adding layers of processes and checks that slow down developers just doesn’t work.

Today, security teams attempt to get visibility into applications through:

  • Manually gathered spreadsheets and diagrams that are outdated the minute they’re written
  • Network-level data that only provides limited insights
  • Internal tools that are painful to build and maintain

To tackle this problem, we’re introducing Application Inventory. 

Sqreen’s Application Inventory is an always up-to-date, searchable source of truth of application assets. It centralizes in-app security insights collected from the Sqreen microagents deployed on our customers’ applications to catalog the key application components (such as third-party libraries, frameworks, ORMs, templating engines, and more) that provide actionable insights into applications. Security teams get deeper visibility and control, and can stay on top of new threats with customizable real-time alerting without becoming gatekeepers or having to slow down engineers.

Why visibility matters

Visibility into applications — beyond the traditional network layer — can provide a lot of value for security teams. Since Sqreen’s Application Inventory automatically gathers and centralizes application insights, it provides visibility to security teams without forcing them to impact developers’ release speed. Since they’re able to keep up-to-date with everything that’s deployed, security teams will be able to catch any new security issue or known vulnerability quickly and move to secure them. As a result, security teams can easily collaborate with developers to improve security and reduce risk.

Sqreen’s Application Inventory is an always up-to-date, searchable source of truth of application assets.

App Inventory works out-of-the-box — no manual data gathering, configurations, or heavy maintenance required. It offers teams a centralized and searchable catalog of your application assets. Rationalize your environment and easily detect and surface areas of risk by checking your App Inventory dashboard.

We’re super excited about App Inventory and its potential. By sitting inside the application, Sqreen is able to provide a lot of interesting data for security teams, and we plan to keep furthering the visibility security teams have into their applications. One of our future updates will provide visibility into Personally Identifiable Information (PII), for example. 

If you’re already a Sqreen user, you can check out App Inventory in your existing deployment. If you haven’t tried Sqreen for yourself yet, you can sign up for a free trial and see it in action. 

The evolution of security

At Demo Day today, we introduced two new fantastic features for helping security teams, operations teams, and developers get more visibility and better protect their applications. In-App WAF delivers another layer of protection based on rulesets, but from within the application. App Inventory provides an automatically updated, out-of-the-box catalogue of your application assets. Together, you can see more and better protect what you deploy. 

Application security has to start within the application. Applications are too complex to properly protect with only one layer or from the outside. Moving forward, we will continue to find ways to unlock new levels of visibility for security teams, and further optimize your toolset for stopping attackers. 

However, it’s not just a matter of better tooling. To truly advance the state of security, it must take the journey that DevOps has taken. The silos between developers and security teams need to be broken down, and security needs to be accessible and infused across the organization. We’re building a platform to support this journey at Sqreen, and we’re excited for you to join us.

If you’re interested in learning more about Sqreen, you can get a demo or sign up for a free trial. If you’d like to learn more about how we built these features, check out our posts on building the In-App WAF and App Inventory.

3
Leave a Reply

avatar
3 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
faris ali Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
trackback

[…] of very cool features we just released. You can read more about the major items we introduced in our blog post about the launch. In this post, I want to shine some light on one feature in particular: the In-App WAF. I’ll […]

trackback

[…] what can we do to solve this? Glad you asked! Today, we’re announcing a new feature to address this issue, called App Inventory. In this post, I’ll provide a technical deep dive […]

faris ali
Guest

very good points .

You May Also Like