How Sqreen works: In brief

Reading time: ~5 minutes

Sqreen architecture

Sqreen has three parts that work together to monitor and protect your application.

The Sqreen Microagent is a library that you install inside your application. It monitors your application at runtime and communicates with the Sqreen Platform in the cloud. Without redirecting traffic into the app, the microagent inspects each request, records security-relevant metadata, then sends the metadata to the Sqreen Platform. See details: Sqreen Microagent: In depth

The Security Engine is the term Sqreen uses to describe the security layers that function inside a sandbox inside the microagent. The engine houses the Runtime Application Self-Protection (RASP), Content Security Policy (CSP) and Security Headers, and In-App Web Application Firewall (In-App WAF) layers that observe activity and block attacks from within your app. The Security Engine takes action synchronously, recording info about each request and applying security rules at runtime. Because the Security Engine operates from inside its sandbox inside the microagent, it can perform all its critical checks and execute all callbacks on instrumented functions while remaining insulated from the app's code. See details: Security Engine: In depth

The Sqreen Platform is the cloud-based command center that communicates with the microagent embedded in your app. While the Security Engine offers synchronous protection right inside your app, the Sqreen Platform operates asynchronously: it receives and aggregates request metadata from multiple instances of your app and analyzes it to detect anomalies. After analyzing an aggregated set of metadata, the platform may send new security responses to the Security Engine to instruct it on how to take action against a detected threat. See details: Sqreen Platform: In depth

Sqreen operation

The Security Engine exists inside a self-contained sandbox inside the microagent in your app. It hooks into some functions and systems of the app so it can monitor and collect security metadata.

As each request comes into your app, the microagent observes and records request metadata, such as timestamp and IP address. If it observes something suspicious, the Security Engine (the part that houses the RASP, CSP, Security Headers, and In-App WAF) can take action to block a request according to its security rules. This is how Sqreen synchronously protects your app, blocking attacks without waiting for analysis from an external entity. For the most part, where app activity falls within expected parameters, the microagent observes and records metadata and security signals.

Every 20 seconds, the microagent and the Sqreen Platform communicate with a heartbeat. The microagent scrubs the metadata about the requests it has been observing to remove any Personally Identifiable Information (PII), then sends the metadata to the Sqreen Platform. The Sqreen Platform accepts the new tranche of metadata, then sends back one of two things: an acknowledgment, or new security responses for the Security Engine.

In between heartbeats, the platform aggregates and analyzes the metadata it received from the microagent to search for anomalies. If it finds none, the next heartbeat sends an acknowledgment to the microagent; if it finds an anomaly, the next heartbeat may contain new security responses for the Security Engine. Beyond asynchronously detecting anomalies across a broader, aggregated set of metadata, the platform also:

Learn more about Sqreen operation: In depth.

Sqreen performance and reliability

The microagent operates with very limited performance impact on the app in which it is installed. For most types of applications, the microagent introduces a marginal CPU overhead of approximately 4%. From the Sqreen Dashboard, you can monitor the microagent’s performance inside your app and apply a limit to the amount of time (milliseconds) that Sqreen uses to examine a request.

The Security Engine runs in a self-contained sandbox inside the microagent embedded in the application. Any execution issues that the application experiences do not impact the Security Engine or microagent, and vice versa. This guards against single point of failure (SPOF) as a microagent that experiences difficulties does not stop or otherwise prevent the app from functioning.

The microagent does not impact network performance. Though it exchanges information with the cloud-based Sqreen Platform in regular 20-second intervals, the microagent does not depend on its connection to the platform. If it disconnects from the platform, the microagent can continue to work by itself. Further, the In-App WAF does not redirect or proxy the request traffic entering your app. This guards against single point of failure: if the In-App WAF experiences an issue, it does not affect the app.

Sqreen Dashboard

As a user, you interact with the Sqreen Platform via a web app called the Sqreen Dashboard. Use the Dashboard to do things like set performance thresholds, change security configurations, inventory your applications, and monitor application security in real-time. Essentially, the Dashboard enables you to assess vulnerabilities and take action to remediate a security issue.