Sqreen’s architecture has evolved a lot over the years. As one of the main protagonists in all these changes, I’m often asked about the previous steps we took and the rationale behind them. It’s an interesting, albeit long, conversation, so l thought ... more
Remote code execution (RCE) is a class of software security flaws/vulnerabilities. RCE vulnerabilities will allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of ... more
Node.js is extremely popular nowadays, primarily as a backend server for web applications. However, in the world of microservices, you can find it pretty much everywhere, playing different and important roles in a bigger application stack. One of the ... more
GraphQL is one of the hottest topics in the API world right now. It provides an abstraction layer over more traditional HTTP communications, and has changed the way we build web applications by providing us with modern and easy-to-use tooling. As with ... more
Lambdas are a great addition to the tech ecosystem by Amazon. They can help bootstrap projects and fulfill a wide range of specific use cases. Given their usefulness, at some point, you may want to add authentication capabilities. When using AWS Lambdas, ... more
On the sleepy island of Gozo, security isn’t a concern. Tourists can leave their bags on the beach and go off on an adventure without worrying that their belongings will be stolen. In my home city, however, we say that “if you don’t tie it down, it’s ... more
Golang’s adoption has been increasing over the years. Successful projects like Docker, Kubernetes, and Terraform have bet heavily on this programming language. More recently, Go has been the de facto standard for building command-line tools. And for ... more
Recently, we sat down with Adam Baldwin, VP of Security at npm, to discuss his approach to security and what he’s learned as far as security goes throughout his career. We wanted to share the insights that came out of our conversation. Tell me a little ... more
Okay, but first: why the hell would you build a native add-on for Node.js? The Node.js/JavaScript ecosystem is the most popular in the world with more than 1 million packages hosted on npmjs.com. Also, the latest features of the language and the incredible ... more
I’m guessing you’re here because you’ve got an application up on Heroku, and you’re wondering what steps you need to take to keep it secure. If so, then awesome—you’re in the right place. In this post, we’re going to be talking about securing applications ... more
Earlier today, we introduced a number of very cool features we just released. You can read more about the major items we introduced in our blog post about the launch. In this post, I want to shine some light on one feature in particular: the In-App WAF. ... more
Sqreen’s Application Security Management platform relies on microagents to leverage the runtime context of applications for security. Our drive when building these agents is to make our protection transparent and as frictionless as possible. The Sqreen ... more
There’s no doubt that Kubernetes adoption has increased a lot since its first release. But, as Ian Coldwater said in his talk about abusing the Kubernetes defaults: Kubernetes is insecure by design and the cloud only makes it worse. Not everyone has ... more
The world is becoming increasingly aware of the massive amounts of data floating around the internet. Not surprisingly, many people have concerns about this. These concerns have led to a lot of legislation around data privacy, of which GDPR is just one ... more
When Amazon released their custom Graviton processor, we knew that ARM needed to be on our radar. Although clearly a first generation product, the investment required to build such a chip and Amazon’s track record were clear signs that better chips are ... more
TL;DR PHP instrumentation can be handled in many ways. When we built our PHP agent at Sqreen we made a series of architectural decisions that enabled us to maximize performance, but also allowed us to access the internals of the language. These methods ... more
Debugging memory leaks is rarely a piece of cake, especially when they only happen in production. The best way I’ve found to debug memory leaks in a Node.js application on Heroku is to analyze heap dumps. Obtaining such heap dumps in production can be ... more
tl;dr Most web pentesting tools currently focus on backend exploitation (such as SQL injections, Reflected or Stored XSS, …). However, in recent years, frontend parts of applications have gained in importance to such a degree that meaningful security ... more
The problem What if you could talk to Jira to create a ticket instead of having to interrupt what you’re doing to open a new tab, and painstakingly scroll through the ticket creation form? It was brought to my attention by multiple Sqreeners, namely Arnaud, ... more
The problem What if you could talk to Jira to create a ticket instead of having to interrupt what you’re doing to open a new tab, and painstakingly scroll through the ticket creation form? It was brought to my attention by multiple Sqreeners, namely Arnaud, ... more
WebAssembly is known for its speed capabilities and this article will put it to the test to better understand what are the best applications to start using WebAssembly today. We will compare the performance of WebAssembly with C/C++, Rust, and TypeScript. ... more
WebAssembly is known for its speed capabilities and this article will put it to the test to better understand what are the best applications to start using WebAssembly today. We will compare the performance of WebAssembly with C/C++, Rust, and TypeScript. ... more
Tl;dr A backdoor was introduced on eslint-scope (version 3.7.2) upon which ESLint depends. It seems that the goal of this hack was to leak NPM tokens. We advise you to take the following actions as soon as possible: Revoke all your NPM tokens at once ... more
Tl;dr [EDIT 2018-07-16] The official ESLint post-mortem has been released. NPM already revoked all tokens at once so you probably don’t need to do this yourself. A backdoor was introduced on eslint-scope (version 3.7.2) upon which ESLint depends. It seems ... more
What is a reflected XSS? An XSS allows an attacker to inject a script into the content of a website or app. When a user visits the infected page, the script will execute in the victim’s browser. This allows attackers to steal private information like ... more
Vue authentication management Introduction Whenever you start to get serious with a project, you will most likely face the issues of how to handle client-side token-based authentication. You will have to answer these questions: How do I store my user’s ... more
Following our recent release to more easily protect Single Page Applications (SPA) and static websites, we wanted to deep dive with you on the matter. “I have a lot to tell you. Do you remember the 90’s? You know, people were talking about serving static ... more
Few years back, a major shift happened in the way we develop on the Web: we no longer develop only websites, we develop web applications. Thanks to modern frameworks like AngularJS, ReactJS, and VueJS, web developers are empowered to build rich and interactive ... more
Monitoring the performance of a Node.js web application Tl;dr Building a tool to monitor how an application performs is not very difficult anymore. Two recent additions to Node.js, the Async Hooks API and the Performance Hooks API, allow anyone to closely ... more
A wake-up call It will be hard to escape 2017 without a new-found respect for the importance of application security. The Equifax breach, resulting from an exploit of a well-known vulnerability in Apache Struts, and which affected 143 million individuals, ... more