For some time I tried to find an easy and affordable solution to harden my application security. There is a lot of ways to monitor and block traffic directly on a server, but in some cases that's not possible, for example with Heroku you can't configure your server freely since it's Platform as a Service. Finally, after a long search, I found out service called Sqreen, and it did more than I expected.

Since Sqreen delivered more than I expected, I want to share my experience with you all. I have used Sqreen for some time now and have real results how it behaves in action.

How does it work?

Sqreen agent needs to be dropped in your software (I will go thru this later on) and it starts to inspect all incoming HTTP requests. At this point, you may think this will slow down your application but that won't happen since any of the traffic won't be redirected anywhere.

Agent software will monitor traffic for various events like:

  • Malicious activity
  • Commands executed by your application
  • SQL queries (also NoSQL queries) for vulnerabilities
  • File and network accesses
  • Execution flows in your application

And top of all that Sqreen also monitors suspicious user activities at the authentication layer. That's a quite sweet set of goodies but like TV-Shop says "Wait, there's more....!" One of the best things in Sqreen is stack traces it will deliver gather for you, this helps out a lot when finding out what happened and what needs fixing.

Sqreen agent won't only analyze all this, it will also block attacks once they are identified.

Sqreen gives wide variety of settings to customize your protection

Is it really working?

I have used Sqreen for some time in a quite busy environment and it really has helped out a lot. We have over 1.4 million requests in 30 days which all are monitored by Sqreen. There have been malicious requests as well as sometimes attacks happen. Everything has been blocked, reported and mentioned as an incident on Sqreen dashboard. Every incident can be opened up and it has a lot of information about what happened.

You can see all important details directly when you log in

As mentioned before there is security monitoring on authentication layer, it summarizes logins which are suspicious, users who are using TOR-network, password retries and can sum up which accounts seem to be more hazardous than others.

User details

Back to the question, is it working? Yes, it's really working!

One thing you need to consider is the authentication layer information vs. your privacy policy. To get use of this feature agent will deliver usernames from login to Sqreen since it's the only way to identify which users are doing what. I don't see any problem here but you need to remember mention in your privacy policy that some information is sent to a 3rd party. You can find more information about this from Sqreen and they sure can answer you more properly what data is used and how.

One last thing to mention, Sqreen also monitors your software dependencies and will inform if you have old and/or vulnerable dependencies in your software.

Details of blocked vulnerability

Installation

Sqreen works with Ruby, Node.js, PHP and Java. Since this is about Rails, after all, I only say couple words about Ruby part of an installation. Full instructions will be shown once you sign up and start using Sqreen. This here is just for you to see how easy it is.

  1. You need to add sqreen gem to your Gemfile
  2. Run bundle install
  3. Create config/sqreen.yml and insert your Sqreen token there

All this comes to you nicely in copy-paste ready format once you set up your software on Sqreen site.

If you haven't already clicked any of the links on this article here is the link once more https://sqreen.io :)