
Launch HN: Sqreen (YC W18) – Securing Web Apps - pierrebetouin
Hi HN! I&#x27;m Pierre, the co-founder of Sqreen (<a href="https:&#x2F;&#x2F;www.sqreen.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.sqreen.com&#x2F;</a>).<p>Sqreen is an application security platform made for both engineering and security teams. We use dynamic instrumentation libraries that monitor web applications internals to detect security anomalies and block triggered vulnerabilities at runtime. Pretty much what an Application Performance Management tool (like New Relic) is doing, but for security.<p>Before founding Sqreen, I led the Red Team (Offensive Security team) at Apple. I was brought on in 2006, so we&#x27;re talking iMacs and iTunes at the time. The focus was initially on breaking DRM implementations (FairPlay). Over time, I had a team of 4-5 people, and had to cover most of Apple&#x27;s portfolio. We needed to provide security assessments to hundreds of developers at Apple in ways that they could trust and find useful. We faced two major issues time and time again: scale (single digit team serving hundreds), and usefulness (how could we make security something that devs felt was actionable and relevant for them?). So why were these obstacles so hard to overcome?<p>First, security culture is broken. My team and I had to act in secrecy for years - like most security teams in companies. Our job was to break things (and we did a pretty good job there!), but we were mainly blockers instead of enablers. As is the norm, the way things were set up, our job was to say &quot;no&quot; - for the sake of product security—not to work collaboratively with developers on improving security together.<p>Second, most of the tools the industry is using today were invented in the 90&#x27;s and haven&#x27;t changed much since. Legacy security solutions rely on lists of known signatures of attacks that can&#x27;t keep up and that generate a high number of false positives. They slow down releases and are nearly impossible to properly maintain for security teams.<p>The function of security within companies today is where Ops was 15 years ago, before the DevOps &quot;revolution&quot;. 
Security as a function has yet to make the leap that Ops has. For small and mid-sized teams, security is either not present, or is bottlenecked by a one or two person team. For large companies, their security teams are flooded by irrelevant security alerts. And there aren&#x27;t enough security professionals to improve the situation by just increasing headcount.<p>We saw a need for a self-service solution that brings security and developers closer together, so that security can better scale and become more useful for developers. My co-founder JB and I started Sqreen to build that solution.<p>Sqreen&#x27;s microagent is a lightweight library that can be added in just a few commands to any web application, API, or microservice. We support Ruby, Node, PHP, Go, Java and Python.
Our microagents use dynamic instrumentation [1] to automatically monitor sensitive app routines (Database calls, I&#x2F;O processing, rendering of pages and more) and they use the execution context of the app to identify how the request is being processed and detect if it&#x27;s triggering a vulnerability. The attack can be blocked at runtime (stopping the execution) and stack traces are provided on a dashboard. We embed a sandboxed VM inside the applications, so the CPU footprint is limited and we can&#x27;t mess up with the app.
Sqreen is built as a platform and security modules like Runtime Application Self-Protection (RASP), in-app WAF, or account takeover can be turned on or off.<p>We protect over 600 companies in production today. We&#x27;ve blocked SQL injections just hours after being deployed, we&#x27;ve identified massive account takeover tentatives, we&#x27;re helping engineering teams with no security resources kickstart their security efforts, and we&#x27;re helping security teams scale their security efforts without slowing down developers.<p>We would love to hear your feedback about Sqreen, as well as answer any questions you might have!<p>[1] - <a href="https:&#x2F;&#x2F;blog.sqreen.com&#x2F;building-a-dynamic-instrumentation-agent-for-node-js&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.sqreen.com&#x2F;building-a-dynamic-instrumentation-a...</a>
======
mushufasa
Congrats on the launch! I've actually tried this out, and both the developer
experience and dashboard user interface are very slick.

The main concern I've heard from senior security experts that have advised us
is about __your__ access. By embedding Sqreen to intercept all web server
traffic at the gateway (e.g. WSGI in Python), your solution adds a worry about
an attack vector -- if Sqreen itself is compromised, everything about our
website is compromised. Or, any general server errors at Sqreen will bring
down the entire web application, possibly without warning (web app won't be
able to trigger 500s), with no way to remedy except removing Sqreen and re-
deploying. That actually happened for us for 12+ hours during the one month we
tried out Sqreen.

I think the problem you're addressing is definitely a very real and huge
problem. Would love to hear your response to the above.

~~~
pierrebetouin
That's a fair point (which is raised regularly) so we architectured Sqreen in
a way that we have a very low security footprint. We stream security metadata
(as APM solutions stream performance metadata) so we don't need to redirect
traffic. Business information/data are usually not required to investigate a
security issue, so we strip scalars from SQL queries whenever we detect SQL
injection for instance, and we collect as little as we can.

Re attack vectors: agreed that more code leads to more attack surface, but
that's the same rationale with frameworks, other agents (APM, error/log
monitoring, etc.) and often less transparent, when running on pre-packaged
containers, or even on an appliance (code running on Firewalls / web app
firewalls solution can usually not be audited). Our agents are not (yet) open
source but are audited regularly by our users.

Sorry to hear about the bug you've hit when you tried Sqreen. Would love to
know more directly (PM?) so we can debug it and provide a better experience
there. The agents are using a v8 virtual machine to avoid problems of that
type (we can’t mess up with the original app logic), so it acts as a sandbox
there.

~~~
dsr_
"very low security footprint" \-- that's great.

But tell me this: if I buy Sqreen's services, will you guarantee to make my
customers (and me) financially whole should you be the source of a compromise?

Will you make us financially whole if we integrate you properly but you don't
do your job?

~~~
masukomi
> Will you make us financially whole if we integrate you properly but you
> don't do your job?

No-one would guarantee that. That would require them to be 100% perfect (never
have any bugs) and know about all possible attack types _before_ they happen.
That's just not possible. New attack techniques are being invented all the
time.

> will you guarantee to make my customers (and me) financially whole should
> you be the source of a compromise?

while possible, it'd also potentially make them instantly insolvent. Think
about all the "damages" and "losses" the music industry claimed from single
uploads of ripped CDs. Even if you could get a company to agree to that (not
likely) the compromised people are motivated to inflate damages and the people
who were the "source" of the compromise would find themselves with the options
of litigating you to death for years (cheaper than a payout on inflated
"damages") or going bankrupt.

------
halotrope
I am unfortunately involved in a magento2 deployment. Sqreen blocked a
critical zero day sql before the official patch was out. Keep up the good
work!

~~~
pierrebetouin
Thanks! Your support means a lot to us

------
SahAssar
I haven't read through the landing page yet, but running js from third party
sources without SRI and having a very lax CSP[1] (allowing 235 host/resource
combinations) does not exactly scream "security" to me. See for example
[https://dmsec.io/hacking-thousands-of-websites-via-third-
par...](https://dmsec.io/hacking-thousands-of-websites-via-third-party-
javascript-libraries/) which is also on the frontpage right next to you.

The CSP on your login screen is slightly more restricted, but still allows 102
host/resource combinations through (not counting the host hosting the page
itself).

Personally when evaluating a security product I'll check this stuff since if a
company does not take proper security measures for themselves then how can I
trust them to do it for their clients?

[1]: [https://pastebin.com/RvUypSYP](https://pastebin.com/RvUypSYP)

~~~
jbaviat
You are correct, our content security policy is not perfect, and we are
gradually improving it. Security is a journey and there is no such thing as
perfect security. We are striving to incrementally improve everything we are
doing as our team is scaling.

~~~
SahAssar
My question is: If you talked to a customer and they said "we have around 200
hosts not controlled by us running code and reading data from our systems, is
that a problem?" would you say "no, that is totally fine"?

It doesn't need to be perfect, but I think that for a security firm we should
be able to do better.

------
incognos
I have been using sqreen for the last 5 months. It has possibly been the best
addition to our stack. It helps us identify users who keep trying an incorrect
password and to proactively send them a password reset email with info that
they have unsuccessfully tried to login. Or to identify users who login from
multiple ips in disparate geographical areas (a compromised user possibly).
One of the greatest uses has been to mitigate the vulnerability scans which
are constant and consistent. Since our app is a bit long in the tooth, we have
not had the time or the opportunity to circle back and properly pay off our
technical debt. Sqreen makes sure that we have some decent p[protection
without a lot of overhead or maintenance.

What we spend for the subscription far outweighs what I would have had to
spend to implement this. In short, a great investment.

~~~
lloeki
> It helps us identify users who keep trying an incorrect password and to
> proactively send them a password reset email with info that they have
> unsuccessfully tried to login.

It's fascinating to see our users come up with such interesting solutions!

> Since our app is a bit long in the tooth, we have not had the time or the
> opportunity to circle back and properly pay off our technical debt

At Sqreen we're very pragmatic and while we'd dream to see everyone be up to
date we realise that this cannot realistically be the case - and even futile
in face of zero day vulns. Thrilling to see it put to good use :)

------
yingw787
I'm blown away by the website itself. It looks like you guys really know what
you're doing (or at least place product first, which opens up a lot of doors)!
I wish I could invest.

How has your experience been going through Y Combinator?

EDIT: I just looked at Crunchbase and it says Sqreen went through an $14M
Series A and YC was involved in both seed and Series A rounds (which I'm
guessing is why it looks more polished). I'm guessing this is the Series A
launch then (?)

~~~
bastijn
I'm blown away as well. I actually know a company here in NL that runs the
same product (more or less) but their website landing page [1] would make me
choose sqreen. Their product page [2] is somewhat better but on mobile still
not much compared to sqreen. Shows the power of a proper landing page.

[1] [https://bitsensor.io/](https://bitsensor.io/)

[2] [https://bitsensor.io/product/](https://bitsensor.io/product/)

~~~
kaushikt
I actually like BitSensor's website. What specifically would you say makes you
choose Sqreen over Bitsensor?

~~~
bastijn
The very first thing I see on the Sqreen landing page is an animation that
gives me an idea of what the product looks like. When I scroll down I see the
supported languages that tell me if my environment is supported. Images are
large enough to understand, even on my phone. When I browse to their product
page I get more screenshots of the product annotated with the functionality
Sqreen brings. Again images are properly sized.

When I land on Bitsensor I see a bunch of text so I have to start actually
parsing and understanding that text. Everything is very bright and images
don't say a lot. When I browse to their product page I see a lot of white
space and only a tiny actual product image that is hard to see. The remainder
are not product images which make it harder for me to parse how this content
is offered to me, which is a big deal when choosing a product.

------
inglor
Hey this looks really cool I am going to schedule a demo.

I've been looking for someone to fill the gap of 'npm audit' and paying
auditors for code breaches and monitoring data breaches.

The thing is even if this tool doesn't work in every case this is still likely
worth my time integrating it.

Definitely want to see you more involved in contributing back to some of those
open source projects you build on like node

~~~
pierrebetouin
Thank you. I’m definitely biased, but this solution does work :)

------
fillskills
Congrats on the launch! The solution is simple yet effective. I have been
exploring this space for a while and you are absolutely right that the infosec
space is due for an overhaul like what is happening with devops. Even the CTO
of Amazon said the one thing he is keeping an eye out in the next 5 years is
security.

------
chrisweekly
Hi Pierre, Kudos for writing such an _outstanding_ intro and overview. The
signal:noise ratio, content and tone are all exemplary. If it's indicative of
the quality of your solution, I think Sqreen is going to be very, very
successful. Congrats and good luck!

------
ransford
It's a nice concept. Your webpage says "Sqreen blocks attacks without false
positives." What's behind that claim?

~~~
lloeki
(Sqreen Ruby engineer here) Since the agents execute inside the
application/service, we have full context of the operations going to be
performed (e.g whether a fragment of a SQL query a) will be executed and b)
comes from user input). Therefore we're not basing detection of contextless
patterns and any false positive/false negative of those classes of attacks is
deemed a bug.

------
zild3d
Very cool, will try it out. As a startup experimenting with a free plan, I
found the "Badge required" to be a cool idea to get some promotion from free
users

Also do you mind saying what network graph library you use? (first gif on home
page) Looks like neo4j but unsure, we do Slack network analysis and have been
exploring different libraries

~~~
mauricesvay
We used D3.js and WebCola to build the graph. Hope that helps!

------
tosh
Kudos on launching, sounds very exciting. I personally wonder how
sales/marketing works in this industry as I often found it tough to convey
(necessary) investments that are a bit intangible and more in the cost center
/ risk reduction side than in the profit center. Anyone has thoughts on this?

~~~
pierrebetouin
Thanks! Marketing and sales in the security space was traditionally always
fear-driven - “Buy our product. If not, you’re going to get breached”. An ROI
would be built using an “average breach cost”.

Today Sqreen is inbound-driven and the marketing/sales process is focused on
the positive of how to make security better and more transparent, rather than
attempting to stoke fear or play up the negative side.

We never had to build any dubious ROI calculation. Tech audience usually
understands the need for security and we present a technical solution that is
transparent and easy to use and deploy.

------
citruspi
Took a quick look at your product - looks neat - and unfortunately your
description of the infosec space lines up with my experiences. I'm excited to
give it a go.

Any chance of a self-hosted offering?

And any ETA on when the .NET integration (presumably support for .NET as well
as .NET Core?) will be available/in beta?

~~~
pierrebetouin
Thank you! Sqreen can be deployed on any cloud or on-premise platform. The
agent just needs to communicate to our infrastructure (to send security
metadata to your dashboard). .Net should be available early next year.

------
ducktypegoose
Any plans to launch an Agent for .NET?

~~~
pierrebetouin
.Net is planned for early next year.

------
andrethegiant
First heard of Sqreen from their SaaS CTO security checklist[1]. Keep up the
good work :-)

[1] [https://www.sqreen.com/checklists/saas-cto-security-
checklis...](https://www.sqreen.com/checklists/saas-cto-security-checklist)

------
valbaca
Looks useful!

FYI, Your Java install example points to a broken link (no version specified)

$ curl
[https://download.sqreen.com/java/sqreen-.jar](https://download.sqreen.com/java/sqreen-.jar)
-o sqreen.jar

~~~
syl20j
Thanks for reporting that! The broken link has been fixed.

The correct link is
'[https://download.sqreen.com/java/sqreen.jar'](https://download.sqreen.com/java/sqreen.jar')
(thus without the extra '-'.

------
glamp
We use Sqreen and it's great. Best of luck!

~~~
lloeki
Thanks, much appreciated!

------
seapunk
Hi Pierre, congrats on the launch! I'm following your progress since the
beginning (2015) and your product is impressive. I saw you have Le Monde among
your customer, did you notice than more and more media companies are investing
in security?

------
mrhektor
Aside from the very slick website, I found the problem statement articulated
in your description above super convincing. Really resonated with me. Congrats
on building something that's really needed. I'll be signing up for a trial
now!

------
devopsprosiva
Congrats on the launch. Does sqreen do code analysis? How is it different from
whitesource?

~~~
pierrebetouin
We don't cover code analysis (SAST). We sit in production applications and the
microagents inspect the execution flow of requests inside apps.

If we detect that a vulnerability is being triggered we will virtually patch
it and send remediation details to developers. We wrote a blog post [1] that
explains how we detect these vulnerabilities.

[1] - [https://blog.sqreen.com/block-sql-injections-not-
customers/](https://blog.sqreen.com/block-sql-injections-not-customers/)

------
pgt
Prediction: Sqreen will be acquired by New Relic or GitHub/MSFT in 12-18
months.

------
codeisawesome
The idea is quite foreign to me so I need to fully digest - but - real sexy
website!!

~~~
mettamage
I'm not the best expert at this, but I followed a couple of security courses,
so I do have some understanding.

From my understanding: it is a monitoring system that detects malicious
activity.

How do they do this? Attackers need to find weaknesses. Where these weaknesses
are is a pretty well-known topic. Database calls and I/O processing are
weaknesses because if you can manipulate that you have a system compromise.
Rendering pages is a weakness because of cross-site scripting issues or cross-
site request forgery issues. (Duckduckgo is your friend if I am speaking in an
ancient magic language ;-) )

An attacker needs to do some crazy stuff in order to exploit these weaknesses.
In a lot of cases you can detect divergent behavior. For example, Let's say
that an attacker successfully performs an SQL injection in the username. Then
upon processing by the server, it executes an SQL command. This means that the
server needs to execute a child process via a system call (system calls are an
API exposed by the operating system to do stuff like file I/O or spawning
processes and underly all of the I/O functions in any framework that you use).
So what you could do is monitor these system calls and do a check on where
they come from (you could do many more complicated things, I'm making this up
as I write this, e.g. see [1]).

Since this system call has to go through the monitoring, you could detect that
this is coming from an HTTP login request, for which database writes are not
allowed. On that moment you could halt execution.

I am not saying that this is what they are doing, but upon reading it. It
seems this is kind of what they are doing.

Here is a paper on it. It might seem daunting, but it isn't since the paper
describes the architecture [1]. The implementation might be more daunting
depending on. your familiarity with C.

[1]
[https://www.cs.vu.nl/~giuffrida/papers/dsn-2016.pdf](https://www.cs.vu.nl/~giuffrida/papers/dsn-2016.pdf)

~~~
lloeki
(Sqreen Ruby engineer) You're right about the basic premise, (but not about
the details, we don't monitor syscalls): since we stand within the application
we have context of the operations performed and can pinpoint whether some
query fragment is a) executable and b) coming from a user, and therefore
reliably conclude the action is malicious.

~~~
codeisawesome
Interesting! The performance of string matching (or even more exotic things
like real-time AST generation or even ML) must be better than interfering with
every call to system APIs. Thanks for posting.

------
mceachen
This looks great! Just went through onboarding process for PhotoStructure (a
node app using ExpressJS). It was simple to install, the getting-started app
was clear, and the resulting dashboard was impressive. Kudos to the team.

------
bastijn
Congrats on the launch! Impressive product.

Seems to be a minor issue on your website when accessed from a mobile device.
On my iOS + chrome the pricing page, detailed features tabs all show only the
stats for the first (free) tier.

~~~
pierrebetouin
Good catch! We will fix that

------
sidcool
Congrats on launching. A question. How do you update the Sqreen micro agents
deployed within a microservices architecture? As security threats evolve one
would need to patch Sqreen too, right?

~~~
lloeki
(Sqreen Ruby engineer here) Agents are mostly glue to bind to and instrument
code on the specific runtime/framework as well as communicate security
metadata to our servers. Most of the event detection logic is dynamically
pushed to the agents and runs isolated. This means security logic can usually
be updated without having to update the agents themselves (although we do
improve the agents themselves on a regular basis!) or even restart the
app/service.

------
bradknowles
I’m curious — how does this compare to Contrast Security?

See [https://www.contrastsecurity.com/](https://www.contrastsecurity.com/)

------
bdcravens
The free trial does't tell me anything about how much time, etc.

~~~
pierrebetouin
Indeed, we'll fix this asap - thanks for catching!

------
IOT_Apprentice
This looks very cool. No Swift or Erlang/Elixir? :)

------
AtomicOrbital
Is your tool HIPAA compliant ? would love to use it on my secure messaging
system we wrote for the Medical community

------
j_halden
Sqreen is awesome we have been using it for over a year and have loved all the
new features they have put out!

------
dvdhnt
I look forward to reviewing your platform.

A minute ago, I visited the site, but was distracted by the logo. It looks a
lot like webpack's logo ([https://webpack.js.org/](https://webpack.js.org/))
so I went to see if you two are connected. Looks like you're not.

I'll have to check back later. Good luck.

------
bashwizard
Any plans on a bug bounty program?

