Sqreen’s architecture through the ages: part one

Sqreen’s architecture has evolved a lot over the years. As one of the main protagonists in all these changes, I’m often asked about the previous steps we took and the rationale behind them. It’s an interesting, albeit long, conversation, so l thought ... more

Remote code execution (RCE), explained: what it is and how to prevent it

Remote code execution (RCE) is a class of software security flaws/vulnerabilities. RCE vulnerabilities will allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of ... more

Top 11 Node.js security best practices

Node.js is extremely popular nowadays, primarily as a backend server for web applications. However, in the world of microservices, you can find it pretty much everywhere, playing different and important roles in a bigger application stack. One of the ... more

Application security for GraphQL: how is it different?

GraphQL is one of the hottest topics in the API world right now. It provides an abstraction layer over more traditional HTTP communications, and has changed the way we build web applications by providing us with modern and easy-to-use tooling. As with ... more

Serverless JWT authentication with Netlify and Zeit

Lambdas are a great addition to the tech ecosystem by Amazon. They can help bootstrap projects and fulfill a wide range of specific use cases. Given their usefulness, at some point, you may want to add authentication capabilities. When using AWS Lambdas, ... more

Top 10 Python security best practices

On the sleepy island of Gozo, security isn’t a concern. Tourists can leave their bags on the beach and go off on an adventure without worrying that their belongings will be stolen. In my home city, however, we say that “if you don’t tie it down, it’s ... more

Top 6 security best practices for Go

Golang’s adoption has been increasing over the years. Successful projects like Docker, Kubernetes, and Terraform have bet heavily on this programming language. More recently, Go has been the de facto standard for building command-line tools. And for ... more

Security interview: Adam Baldwin on iterating security at npm

Recently, we sat down with Adam Baldwin, VP of Security at npm, to discuss his approach to security and what he’s learned as far as security goes throughout his career. We wanted to share the insights that came out of our conversation. Tell me a little ... more

Building a native add-on for Node.js in 2019

Okay, but first: why the hell would you build a native add-on for Node.js? The Node.js/JavaScript ecosystem is the most popular in the world with more than 1 million packages hosted on npmjs.com. Also, the latest features of the language and the incredible ... more

How to secure your Heroku application

I’m guessing you’re here because you’ve got an application up on Heroku, and you’re wondering what steps you need to take to keep it secure. If so, then awesome—you’re in the right place. In this post, we’re going to be talking about securing applications ... more

How to build a WAF at the application layer

Earlier today, we introduced a number of very cool features we just released. You can read more about the major items we introduced in our blog post about the launch. In this post, I want to shine some light on one feature in particular: the In-App WAF. ... more

Building a dynamic instrumentation agent for Java

Sqreen’s Application Security Management platform relies on microagents to leverage the runtime context of applications for security. Our drive when building these agents is to make our protection transparent and as frictionless as possible. The Sqreen ... more

Kubernetes security best practices

There’s no doubt that Kubernetes adoption has increased a lot since its first release. But, as Ian Coldwater said in his talk about abusing the Kubernetes defaults: Kubernetes is insecure by design and the cloud only makes it worse. Not everyone has ... more

Top 10 security best practices for MongoDB

The world is becoming increasingly aware of the massive amounts of data floating around the internet. Not surprisingly, many people have concerns about this. These concerns have led to a lot of legislation around data privacy, of which GDPR is just one ... more

How we built V8 natively on ARM

When Amazon released their custom Graviton processor, we knew that ARM needed to be on our radar. Although clearly a first generation product, the investment required to build such a chip and Amazon’s track record were clear signs that better chips are ... more

Building a dynamic instrumentation agent for PHP

TL;DR PHP instrumentation can be handled in many ways. When we built our PHP agent at Sqreen we made a series of architectural decisions that enabled us to maximize performance, but also allowed us to access the internals of the language. These methods ... more

How to debug memory leaks in a Node.js application on Heroku

Debugging memory leaks is rarely a piece of cake, especially when they only happen in production. The best way I’ve found to debug memory leaks in a Node.js application on Heroku is to analyze heap dumps. Obtaining such heap dumps in production can be ... more

Single-page applications need better auditing

tl;dr Most web pentesting tools currently focus on backend exploitation (such as SQL injections, Reflected or Stored XSS, …). However, in recent years, frontend parts of applications have gained in importance to such a degree that meaningful security ... more

Giving a voice to Jira

The problem What if you could talk to Jira to create a ticket instead of having to interrupt what you’re doing to open a new tab, and painstakingly scroll through the ticket creation form? It was brought to my attention by multiple Sqreeners, namely Arnaud, ... more

Giving a voice to Jira

The problem What if you could talk to Jira to create a ticket instead of having to interrupt what you’re doing to open a new tab, and painstakingly scroll through the ticket creation form? It was brought to my attention by multiple Sqreeners, namely Arnaud, ... more

WebAssembly vs. the world. Should you use WebAssembly?

WebAssembly is known for its speed capabilities and this article will put it to the test to better understand what are the best applications to start using WebAssembly today. We will compare the performance of WebAssembly with C/C++, Rust, and TypeScript. ... more

WebAssembly vs. the world. Should you use WebAssembly?

WebAssembly is known for its speed capabilities and this article will put it to the test to better understand what are the best applications to start using WebAssembly today. We will compare the performance of WebAssembly with C/C++, Rust, and TypeScript. ... more

ESLint backdoor: revoke all the tokens

Tl;dr A backdoor was introduced on eslint-scope (version 3.7.2) upon which ESLint depends. It seems that the goal of this hack was to leak NPM tokens. We advise you to take the following actions as soon as possible: Revoke all your NPM tokens at once ... more

ESLint backdoor: revoke all the tokens

Tl;dr [EDIT 2018-07-16] The official ESLint post-mortem has been released. NPM already revoked all tokens at once so you probably don’t need to do this yourself. A backdoor was introduced on eslint-scope (version 3.7.2) upon which ESLint depends. It seems ... more

Reflected XSS explained: how to prevent reflected XSS in your app

What is a reflected XSS? An XSS allows an attacker to inject a script into the content of a website or app. When a user visits the infected page, the script will execute in the victim’s browser. This allows attackers to steal private information like ... more

Authentication Best Practices for Vue

Vue authentication management Introduction Whenever you start to get serious with a project, you will most likely face the issues of how to handle client-side token-based authentication. You will have to answer these questions: How do I store my user’s ... more

Security for Static Websites

Following our recent release to more easily protect Single Page Applications (SPA) and static websites, we wanted to deep dive with you on the matter. “I have a lot to tell you. Do you remember the 90’s? You know, people were talking about serving static ... more

Single Page Applications and static websites also deserve some security

Few years back, a major shift happened in the way we develop on the Web: we no longer develop only websites, we develop web applications. Thanks to modern frameworks like AngularJS, ReactJS, and VueJS, web developers are empowered to build rich and interactive ... more

Monitoring the performance of a Node.js web application

Monitoring the performance of a Node.js web application Tl;dr Building a tool to monitor how an application performs is not very difficult anymore. Two recent additions to Node.js, the Async Hooks API and the Performance Hooks API, allow anyone to closely ... more

State of Node.js Security 2017

A wake-up call It will be hard to escape 2017 without a new-found respect for the importance of application security. The Equifax breach, resulting from an exploit of a well-known vulnerability in Apache Struts, and which affected 143 million individuals, ... more