Test your app security with Sqreen (future release)

You can already use Sqreen to protect your application and observe its security, and in the future, you will be able to use it to test your app’s security.

When it is made available, Sqreen Test will enable teams to test the security of an application during its development. Because you install the Sqreen Microagent inside your application, it has the advantage of being able to dynamically examine the app from the inside. It knows how your app works in production, and it will be able use this data to stress-test a newer version of your app in a pre-production environment to reveal bugs and expose vulnerabilities.

The concept of Sqreen Test addresses the need to run on-demand security testing sessions on your app in pre-production. Using the information such a security test would reveal, your engineering and security teams can drill down in the exceptions and backtrace to reveal and address security vulnerabilities. Your teams will be able to use Sqreen Test to add security testing sessions to an app's software development lifecycle (SDLC) to remediate vulnerabilities before pushing to production.

How it will work

When you install the Sqreen Microagent in your app in a production environment, it dynamically instruments the app’s functions to observe and protect the app at runtime. But while it is protecting the app, it is also learning about the requests, amassing metadata about the traffic coming into the app such as structures and payloads (Mapping phase). When it is made available, Sqreen Test will use this data for fuzzing, simulating traffic to an app in a pre-production environment to expose vulnerabilities in the code (Attack phase). Because it will be continuously learning, you will not need to adjust the tests when you publish new routes or release new business logic in your app; Sqreen Test will discover new elements and automatically begin testing them for security.

When this feature is made available, you will be able to instruct Sqreen to begin the test without manually specifying any details or testing parameters.

When it finds a bug, Sqreen Test will record the exception event including all the information an engineering or security team needs to locate and resolve the issue. You will then be able to drill into each event to figure out what caused it and how to resolve it before deploying the app to production.

If it detects a vulnerability, Sqreen Test will describe the details of the vulnerability, such as vulnerable business logic and the payload of the query that Sqreen Test used to successfully simulate and remediate a SQL injection, for example. Further, Sqreen Test will offer a stack trace to show where to fix the code in the app.

Sqreen Test in your SLDC

When it is made available, consider using Sqreen Test to add a layer of application security testing in your CI/CD pipeline. The idea is that Sqreen Test will remove the burden of having to manually set up tests or generate simulated traffic to your app because it will leverage the data it collects from your app’s traffic in production. You will be able to execute the security test in a pre-production environment, then share the exceptions and backtrace with the team to address issues well before you release a new version of the app.

When released, Sqreen Test will even learn from the application security tests it runs. With each run, it will learn more about the way your app works and can mutate the parameters in the simulated traffic to detect deeper vulnerabilities. Vulnerabilities that Sqreen Test reveals are vulnerabilities against which Sqreen will be able to protect with RASP and In-App WAF. While you already trust Sqreen to monitor and protect your app at runtime in production, in the future, you will be able to use it to secure and harden your app before its release.