Data security and privacy with Sqreen

Sqreen takes data security very seriously and is committed to ensuring that your data remains secure and private.

Inside your app

The Sqreen Microagent is a library that you install in your application. The microagent contains the Security Engine inside a self-contained sandbox (a V8 Javascript engine) inside your application. From inside this sandbox, the Security Engine performs all its critical checks and executes all callbacks on instrumented functions but remains insulated from your app. Read more about how the Sqreen Microagent works.

The microagent collects metadata for requests into your app and sends this metadata to the Sqreen Platform via a secure HTTPS connection. While performing these actions, the microagent keeps your application and its data safe.

  • The microagent does not redirect traffic into your application, avoiding exposure through a proxy.
  • The microagent does not store the metadata it collects; after securely sending the metadata to the Sqreen Platform and getting an acknowledgment of receipt, it clears its cache.

Sensitive data

The Sqreen Microagent installed inside your app uses a secure HTTPS connection to send metadata to the Sqreen Platform. For more information, read How Sqreen works.

The microagent does not send sensitive data, including Personally Identifiable Information (PII), to the Sqreen Platform. With each heartbeat, the microagent scrubs the metadata to remove sensitive data and replace any instances with Redacted by Sqreen.

By default, the microagent scrubs the following values from the metadata it sends:

  • Values that look like they contain credit card numbers, according to a basic regular expression: ^(?:\d[ -]*?){13,16}$
  • Values associated with any of the following keys:
    • password
    • secret
    • passwd
    • authorization
    • api_key
    • apikey
    • access_token

You can customize the sensitive data that the microagent redacts. Access your microagent's Configuration documentation to learn how.

Keep your data, apps, and users secure

By default, Sqreen software notifies you whenever it detects something that is detrimental to your app's security. Be sure to follow all Sqreen recommendations to keep your app secure and enable Sqreen software to optimize its operation.

While Sqreen does all in its power to keep your data secure and private, there are steps that you can take in your technical environment to ensure the security and privacy of your data, apps, and users.

Apply Sqreen recommendations

As Sqreen monitors your apps, it identifies vulnerabilities it detects in the tools and dependencies your app uses. Where it detects a vulnerable component, Sqreen prompts you to take steps to mitigate the issue with updates or upgrades. Be sure to follow Sqreen's recommendations and promptly update all vulnerable components.

Navigate to Application Risk in your Sqreen Dashboard to evaluate security weaknesses and take action to protect your app.

Safeguard your tokens

When you first sign up to create a new account, Sqreen automatically generates a unique organization token that it uses to identify your entire organization. When you install the Sqreen Microagent in your app, you must set the Sqreen token and application name so that the microagent can establish a secure, authenticated connection with the Sqreen Platform. (For more information, read How Sqreen works.)

It is important to keep your Sqreen organization token secret so as to prevent others from gaining access to your Sqreen account. For this reason, we DO NOT recommend hard-coding the value of your token, or any login credentials or keys in your application's code. Instead, use environment variables to safely store your tokens, keys, and credentials while allowing your app to legitimately use them to log into or establish connections with APIs and SaaS providers.

Do not send sensitive data

The Sqreen Microagent installed inside your app sends metadata to the Sqreen Platform via a secure HTTPS connection. (For more information, read How Sqreen works.) By default, Sqreen Microagents do not send sensitive data, including Personally Identifying Information (PII), to the Sqreen Platform, replacing any sensitive data with Redacted by Sqreen. Build on this best practice by taking careful steps to safeguard your sensitive data, customizing the sensitive data that Sqreen redacts as you see fit. Access your microagent's Configuration documentation to learn more.

Avoid configuring the microagent to send sensitive data, PII, or Personal Health Information (PHI) to the Sqreen Platform. Instead, use Universally Unique Identifiers (UUID) or hashes. Read this blog post to learn about best practices for user monitoring and PII.

Keep Sqreen up to date

As with any dependency, it is important to keep your Sqreen Microagent up to date with its latest release of software. Heed all recommendations to update your microagent and review your microagent's release notes for information about each release.

Use Role-Based Access Control

Consider using Role-Based Access Control (RBAC) within your organization to ensure that access to your system, apps, and data is limited to authorized users.

It is unwise, and generally unnecessary, for all users of your app or system to have universal privileges or the ability to make changes or access all data, as with a system administrator. Examine your user community to identify appropriate roles within your organization, then determine which of those roles can access the most sensitive information and tools.

Use SAML

Consider using Security Assertion Markup Language (SAML) to connect with any SaaS providers, microservices, or APIs outside your organization. This standard for securely connecting and exchanging data with entities external ensures that you do not unwittingly open a window for malicious users to attack your app or network infrastructure.