We try to provide a “dev-tool" approach to security: free trial, simple install and dev-friendly install, no need to configure the tool for hours before getting any value, etc.
I would recommend just to give it a trial.
I'm biased, but our customers love us. We serve both developers without time to handle security and large security teams. For the latter, we often see collaboration between developers and security teams.
Thanks for the HN link, that's what I looked for but somehow algolia wasn't giving me the result at the time.
Two points about a potential trial. 1) Since it's a runtime tool to actually see what it can detect I assume I will actually have to generate some attacks myself to actually see it in affect? It also makes false positive testing a little harder.
The reporting and such is on the cloud I presume? Are there some documentation on what happens at the agent level and what gets send to the cloud?
1) If your app has decent traffic it will be attacked. But we also describe how to scan your app with Arachni on our docs: https://docs.sqreen.com/using-sqreen/how-can-i-test-sqreen-d...
False positives on our RASP module are very rare. Most of our customers use it in blocking mode in production.
How we do it? By using the application context. Our detection is done in-app. It's based on parsers that tokenize the query and detect injections when the user input changes the structure of the query.
More details on our detection rules [1] and more details on how we do dynamic instrumentation [2]
2) It’s on the cloud [AWS]. But our agent doesn’t redirect your traffic or collect sensitive data. We scrub the data inside your agent before sending it to our servers (just like Sentry or New Relic). You can also customize this behavior. [3]
As our team is growing, having to bring cookies for a larger group can be a lot. Also, you're a bit less inclined if this happens to you two days in a row...
(message for Tyler: we're still waiting on those cookies)
While you're at it, "Monitor your user's computers" appears twice. The first time under your users appears to be correct, but the second occurence has a description about how lets encrypt is a free, easy to use option. I'm guessing the second heading should be "Use encryption on all your web sites and APIs" or similar?
At Sqreen, we love SaaS! We especially love making SaaS companies more secure :-)
The SaaS Security 1000, is a security overview of the world's fastest growing SaaS companies. We run a few basic security checks to identify network and application security issues.
No SaaS business has been harmed during that experiment ;-) (information gathered with fully passive & non-intrusive tests)
I feel Heavybit offers some great resources (even if you're not selling to a technical audience). I really recommend you to check it out https://www.heavybit.com/library/
Unfortunately, startups don't have this kind of resources (CIO/CISO etc.). What we see is that security is often handled by CTOs in Seed/SeriesA startups.
We try to provide a “dev-tool" approach to security: free trial, simple install and dev-friendly install, no need to configure the tool for hours before getting any value, etc. I would recommend just to give it a trial.
I'm biased, but our customers love us. We serve both developers without time to handle security and large security teams. For the latter, we often see collaboration between developers and security teams.
Maybe some of the HN comments on our Launch HN will give a less biased view: https://news.ycombinator.com/item?id=20215483