Scribd
Upload
119 views22 pages

Ruby Security Handbook

The document provides a list of best practices for improving Ruby on Rails application security. It includes tips such as avoiding unsafe deserialization of user data, not using file utilities or system commands with user input, validating all user data, using pre-commit hooks to check for secrets being committed, and keeping dependencies up to date by tracking and updating vulnerable packages regularly. The list is intended to help engineers get a handle on priority security issues and build more secure web applications.

Uploaded by

Ne
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
119 views22 pages

Ruby Security Handbook

The document provides a list of best practices for improving Ruby on Rails application security. It includes tips such as avoiding unsafe deserialization of user data, not using file utilities or system commands with user input, validating all user data, using pre-commit hooks to check for secrets being committed, and keeping dependencies up to date by tracking and updating vulnerable packages regularly. The list is intended to help engineers get a handle on priority security issues and build more secure web applications.

Uploaded by

Ne
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

The Ruby

Security Handbook
INTRODUCTION
Damn, but security is hard.

It’s not always obvious what needs doing, and the payoffs of good security are at best
obscure. Who is surprised when it falls off our priority lists?

We’d like to offer a little help if you don’t mind. And by « help » we don’t mean « pitch
you our product »—we genuinely mean it.

Sqreen’s mission is to empower engineers to build secure, reliable web applications. We’ve
put our security knowledge to work in compiling an actionable list of best practices to
help you get a grip on your security priorities. It’s all on the following pages.

We hope your find if useful. If you do, share it with your network. And if you don’t, please
take to Twitter to complain loudly—it’s the best way to get our attention.

The Screen Team


@SqreenIO

!2
INTRODUCTION
Damn, but security is hard.

It’s not always obvious what needs doing, and the payoffs of good security are at best
obscure. Who is surprised when it falls off our priority lists?

We’d like to offer a little help if you don’t mind. And by « help » we don’t mean « pitch
you our product »—we genuinely mean it.

Sqreen’s mission is to empower engineers to build secure, reliable web applications. We’ve
put our security knowledge to work in compiling an actionable list of best practices to
help you get a grip on your security priorities. It’s all on the following pages.

We hope your find if useful. If you do, share it with your network. And if you don’t, please
take to Twitter to complain loudly—it’s the best way to get our attention.

The Screen Team


@SqreenIO

!2
CODE

✔ Avoid unsafe data deserialization of user data


Calling unsafe methods like JSON.load(), Marshal.load() or YAML.load() with user-
provided data can allow users to execute arbitrary code via malformed JSON or YAML.
Prefer instead JSON.parse() or Pysch.safe_load().

Learn more:

JSON.load() documentation:
http://ruby-doc.org/stdlib-2.4.1/libdoc/json/rdoc/JSON.html#method-i-load - http://
bit.ly/2ooWwtD
Psych documentation:
https://ruby-doc.org/stdlib-2.4.1/libdoc/psych/rdoc/Psych.html#method-c-safe_load -
http://bit.ly/2BXYx9y
Great blog post explaining the vulnerability in depth:
http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution-
vulnerability-explained/ - http://bit.ly/2ws12vI

✔ Avoid using FileUtils and File with user data


Modules like FileUtils and File allow access to the file system. Using them with unsafe data
can allow a malicious user to tamper with the content of your server.


Module documentation:
https://ruby-doc.org/stdlib-2.4.1/libdoc/fileutils/rdoc/FileUtils.html - http://bit.ly/
2LL05DO
https://ruby-doc.org/core-2.4.1/File.html - http://bit.ly/2Na8NQN

✔ Avoid using system and backticks with user data


The system and related methods, and backticks all allow access to the underlying
operating system. Using it with unsafe data can allow a malicious user to tamper with the
integrity of your server.

!3
System documentation:
https://ruby-doc.org/core-2.4.1/Kernel.html#method-i-system - http://bit.ly/2C2ZgGA
Learn how to responsibly use backticks and other child process methods:
https://medium.com/zendesk-engineering/running-a-child-process-in-ruby-properly-
febd0a2b6ec8 - http://bit.ly/2MGADo3

✔ Don't implement your own crypto


The problem with cryptography is that you don’t know you are wrong until you are
hacked. So don’t do your own crypto. Use standards instead. For most crypto related
operations, the ‘crypto’ core module can help you.

Read more

https://github.com/cryptosphere/rbnacl - http://bit.ly/2wsDeId
http://ruby-doc.org/stdlib-2.4.1/libdoc/openssl/rdoc/OpenSSL.html - http://bit.ly/
2NE7VR2
https://en.wikipedia.org/wiki/Scrypt - http://bit.ly/2PQMgqr
http://crypto.stackexchange.com/questions/43272/why-is-writing-your-own-
encryption-discouraged - http://bit.ly/2onlGIX

✔ Use a prepublish/pre-commit script to protect yourself


Before committing your code or publishing your package to a repository, you should
ensure no sensitive data will be shipped. Using a pre-commit hook or a pre-publish script
helps to prevent such leaks. You should particularly look for: Database credentials, API
keys or configuration files.

A few gems can help placing pre-commit hooks:


https://rubygems.org/gems/pre-commit/ - http://bit.ly/2PVO0im

✔ Do not use templating without XSS protection


When using a templating engine, make sure that your web framework is configured with
XSS protection turned on.

!4
Also, you should know which template syntax can introduce XSS vulnerabilities. For
instance, mis-use of ERB’s html_safe method can actually open your app up to XSS
attacks.

ERB:
http://api.rubyonrails.org/classes/ERB/Util.html - http://bit.ly/2C2d1FH
https://makandracards.com/makandra/2579-everything-you-know-about-html_safe-is-
wrong - http://bit.ly/2wqPhFW
HAML documentation:
http://haml.info/docs/yardoc/Haml/Options.html#escape_html-instance_method -
http://bit.ly/2PRQfD5
http://haml.info/docs/yardoc/file.REFERENCE.html#escaping_html - http://bit.ly/
2wroARB
SLIM documentation:
http://www.rubydoc.info/gems/slim/frames#Available_options - http://bit.ly/2N1o1aG
http://www.rubydoc.info/gems/slim/frames#Output__ - http://bit.ly/2Pk4ZJT
https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-
passwords/ - http://bit.ly/2PPilPw

✔ Perform data validation on everything you don't control


All user data that get into your application should be validated and escaped to avoid
various kinds of injections.

Learn more about SQL injections in Ruby:


https://blog.sqreen.com/preventing-sql-injections-in-ruby/ - http://bit.ly/2C30zoY
https://rails-sqli.org - http://bit.ly/2N0F3We
Use ActiveModel::Validations to perform data validation:
http://api.rubyonrails.org/classes/ActiveModel/Validations.html - http://bit.ly/2NAMGzB
Learn more about SQL injections:
https://en.wikipedia.org/wiki/SQL_injection - http://bit.ly/2C22hqH

!5
✔ Don't implement your own session management
It’s easy to write bad session management code that is vulnerable to session fixation
attacks. Use Devise, or another well-tested solution instead.

Read more:
Details on how session fixation attacks work:
https://www.owasp.org/index.php/Session_fixation - http://bit.ly/2MEUd4c

Some great gems for session management


https://github.com/plataformatec/devise - http://bit.ly/2LHP1Hn
https://github.com/Sorcery/sorcery - http://bit.ly/2NwvbAw

✔ Enforce a secure code review checklist


Security should always be kept in mind while coding. Enforce security reviews for pull
requests.

Learn more:

OWASP Code Review Project - http://bit.ly/2LGsbje


Rails Security - http://bit.ly/2ME75Yg

✔ Go hack yourself
Once in a while, the entire technical team should sit together and spend time targeting all
parts of the application, looking for vulnerabilities. This is a great time to test for account
isolation, token unicity, unauthenticated paths, etc. You will heavily rely on your browser’s
web console, curl, and 3rd party tools such as Burp.

Learn more:
Burp - http://bit.ly/2onKSPy
Red Team: Pwning the Hearts and Minds one Ticket at a Time -http://bit.ly/2MCvD3P

!6
✔ Keep secrets away from code
Never commit secrets in your code. They should be handled separately in order to
prevent them accidentally being shared or exposed. This allows a clear separation between
your environments (typically development, staging and production).

Use a configuration file/en variable Use a configuration management module: https://


github.com/laserlemon/figaro - http://bit.ly/2wtUNYx

Learn more:
12 Factor App - http://bit.ly/2PMGypq

✔ Keep your dependencies up to date


Third-party libraries can put your application at risk. Make sure you track your vulnerable
packages and update them regularly.


Tools:

Snyk - http://bit.ly/2PiGahI
Sqreen - http://bit.ly/2LHmd1w
Ruby Advisory - http://bit.ly/2wBcq7K

✔ Perform data validation on everything you don’t control


All user data that get into your application should be validated and escaped to avoid
various kinds of injections. Or use Sqreen to protect from attacks exploiting NoSQL or
SQL vulnerabilities.

Learn more about SQL injections in Ruby: 



https://blog.sqreen.com/preventing-sql-injections-in-ruby/ - http://bit.ly/2C30zoY

https://rails-sqli.org - http://bit.ly/2N0F3We

Use ActiveModel::Validations to perform data validation: 



http://api.rubyonrails.org/classes/ActiveModel/Validations.html - http://bit.ly/2NAMGzB

!7
Learn more about SQL injections: 

https://en.wikipedia.org/wiki/SQL_injection - http://bit.ly/2C22hqH

✔ Use a prepublish/pre-commit script protect yourself


Before committing your code or publishing your package to a repository, you should
ensure no sensitive data will be shipped. Using a pre-commit hook or a pre-publish script
helps to prevent such leaks. You should particularly look for: Database credentials, API
keys or configuration files.

A few npm packages can help placing pre-commit hooks:


https://rubygems.org/gems/pre-commit/ - http://bit.ly/2PVO0im

✔ Run it unprivileged
If an attacker successfully attacks your application, having it running as a restricted-user
will make it harder for the attacker to take over the host and/or to bounce to other
services. Privileged users are root on Unix systems, and Administrator or System on
Windows systems

✔ Run security linters on your code


Static Application Security Testing (SAST) is an easy and fast way to find unsafe patterns
in your code. You can enforce SAST security checks with a pre or post-commit hook, but
be aware of the high number of false positives.

Brakeman - http://bit.ly/2NAPZqy
Rubocop - http://bit.ly/2C0xDhk
Awesome Static Analysis - http://bit.ly/2PmyvPp

✔ Integrate security scanners in your CI pipeline


Integrate a Dynamic Application Security Testing (DAST) tool in your CI, but just like
SAST be aware of the high number of false positives.

!8
Arachni - http://bit.ly/2MWfgP9
OWASP Zed - http://bit.ly/2Ny177w
Acunetix - http://bit.ly/2wpuany

✔ Use a secure development life cycle


The secure development lifecycle (SDL) is a process that helps tackle security issues at
the beginning of a project. While rarely used as is, it provides useful insights at all stages
of the project, from the specification to the release. It will allow you to enforce good
practices at every step of the project life.

Read more:
OWASP Secure Software Development Lifecycle Project - http://bit.ly/2PRgNED

Microsoft Security Development Lifecycle - http://bit.ly/2wsiTml

✔ Ensure you are using security headers


Modern browsers support a set of headers dedicated to blocking certain types of attacks.
Make sure you have properly implemented all security headers. Don’t forget about the
Content Security Policy.

Learn more:
Secure headers library - http://bit.ly/2ws1QAE
Check your headers and other security configs - http://bit.ly/2C2LLXH
Check your headers and more - http://bit.ly/2ojI2ei
HTTP Security Headers - http://bit.ly/2LIHO9U

✔ Ensure you are using security headers


When using a templating engine, make sure that your web framework is configured with
XSS protection turned on. Also, you should know which template syntax can introduce
XSS vulnerabilities. For instance, misuse of ERB’s html_safe method can actually open
your app up to XSS attacks. Or use Sqreen to protect from attacks exploiting XSS
vulnerabilities.

!9
Learn more:
ERB: http://api.rubyonrails.org/classes/ERB/Util.html - http://bit.ly/2C2d1FH

https://makandracards.com/makandra/2579-everything-you-know-about-html_safe-
iswrong - http://bit.ly/2Ny7oAn

HAML documentation: http://haml.info/docs/yardoc/Haml/Options.html#escape_html-


instance_method - http://bit.ly/2PRQfD5

http://haml.info/docs/yardoc/file.REFERENCE.html#escaping_html - http://bit.ly/
2wroARB

SLIM documentation: http://www.rubydoc.info/gems/slim/frames#Available_options -


http://bit.ly/2N1o1aG
http://www.rubydoc.info/gems/slim/frames#Output__ - http://bit.ly/2Pk4ZJT

!10
INFRASTRUCTURE

✔ Ensure you are using security headers


An automated configuration management tool helps you ensure that your servers are
updated and secured.

MongoDB Backup: https://docs.mongodb.com/manual/core/backups/ - http://bit.ly/


2LGP3PX
Postgresql: https://www.postgresql.org/docs/current/static/backup.html - http://bit.ly/
2Pg9OEb
Linux: http://www.tecmint.com/linux-system-backup-tools/ - http://bit.ly/2wwjKSk
https://www.dataone.org/best-practices/ensure-integrity-and-accessibility-when-
making-backups-data - http://bit.ly/2N2I9sM

✔ Ensure you are using security headers


Your data is likely to be your business’s most precious asset. Be sure not to lose it.
Implement proper backups and check for backup integrity.

Chef: https://learn.chef.io/tutorials/ - http://bit.ly/2wtdgDA


Puppet: https://www.digitalocean.com/community/tutorials/how-to-install-puppet-4-in-
a-master-agent-setup-on-ubuntu-14-04 - https://do.co/2N0yGCm
Ansible: http://docs.ansible.com/ansible/intro_getting_started.html - http://bit.ly/
2LF9NYf
Salt: https://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html - http://
bit.ly/2Nx214n

✔ Check your SSL / TLS configurations


Use free tools to scan your infrastructure regularly and make sure the SSL configurations
are correct.

https://observatory.mozilla.org/ - https://mzl.la/2PMIqP5

!11
https://www.ssllabs.com/ - http://bit.ly/2wu3u44
https://diogomonica.com/2015/12/29/from-double-f-to-double-a/ - http://bit.ly/
2C1Uauc

✔ Control access on your cloud providers


The best way to protect your services (database, file storage) is to not use passwords at all.
Use the built-in Identity and Access Management (IAM) functions to securely control
access to your resources.

http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html - https://amzn.to/
2omecWF
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-
instances - http://bit.ly/2PfXCDo

✔ Encrypt all the things


SSL performance problems are a myth and you have no good reason not to use SSL on all
your public services.

Learn more:
https://letsencrypt.org/ - http://bit.ly/2wvISsi
https://certbot.eff.org/ - http://bit.ly/2POHaeh
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-
encrypt-on-ubuntu-14-04 - https://do.co/2C1LWT3
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-
encrypt-on-ubuntu-14-04 - https://do.co/2PlIQLq

✔ Log all the things


Infrastructure logs and application logs are your most precious allies for investigating a
data breach. Make sure your logs are stored somewhere safe and central. Also make sure
you whitelist- or blacklist-specific incoming data to avoid storing personally identifiable
information (PII).

!12
https://qbox.io/blog/welcome-to-the-elk-stack-elasticsearch-logstash-kibana - http://
bit.ly/2MEyJV8
https://www.loggly.com/ - http://bit.ly/2C1u2jc

✔ Manage secrets with dedicated tools and vaults


When you need to store cryptographic secrets (other than database password, TLS
certificate, etc.) and perform encryption with them, you should use dedicated tools. This
way the cryptographic secret never leaves the tool and you get auditing features.

Tools:
HashiCorp Vault - http://bit.ly/2wu37Hu
Keywhiz - http://bit.ly/2ooRSvG
AWS CloudHS - https://amzn.to/2wxp8Ex
AWS Key Management Service (KMS) - https://amzn.to/2MGWNGG

✔ Monitor your authorizations


Be proactive and be alerted when authorizations or keys binary are changed in
production.

http://techblog.netflix.com/2017/03/netflix-security-monkey-on-google-cloud.html -
http://bit.ly/2NvtuDC
https://cloudsploit.com/events - http://bit.ly/2PL5q13
http://ossec.github.io/ - http://bit.ly/2onNywA
https://security.stackexchange.com/a/19386 - http://bit.ly/2NvtIKY

✔ Monitor your DNS expiration date


Just like TLS certificates, DNS can expire. Make sure you monitor your DNS expiration
automatically.

https://github.com/glensc/monitoring-plugin-check_domain - http://bit.ly/2MECFF9

!13
✔ Protect your servers and infrastructure from scanners
Your servers will be scanned in order to fingerprint your application and locate open
services, misconfigurations, etc. You can setup tools to keep these scanners away from
your servers.

https://www.sqreen.com/ - http://bit.ly/2MDSMTm
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-
on-ubuntu-14-04 - https://do.co/2MV8eKt

✔ Protect your users against account takeovers


Credential stuffing or brute force attacks are easy to setup. You should make sure your
users are protected against account takeovers.

https://www.sqreen.com/ - http://bit.ly/2MDSMTm
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks - http://bit.ly/
2wqhH1O
https://security.stackexchange.com/questions/94432/should-i-implement-incorrect-
password-delay-in-a-website-or-a-webservice - http://bit.ly/2wsMTh4

✔ Renew your certificates on time


You should be using TLS certificates. It can be a hassle to configure and monitor, but don’t
forget to renew them!

SSL Labs - http://bit.ly/2wu3u44


SSL expiration alerts with Lambda - http://bit.ly/2LzaYIt

✔ Store encrypted passwords in your configuration management


Storing passwords (like database ones) can be done on a dedicated database with
restricted access. An other solution is to store them encrypted in your Source Code
Management (SCM) system. That way, you just need the master key to decrypt them.

!14
Chef: https://github.com/chef/chef-vault - http://bit.ly/2oknMtg
Puppet: https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml - http://bit.ly/
2C1NlJj
Salt: https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html -
http://bit.ly/2wvk6bL
Ansible: http://docs.ansible.com/ansible/playbooks_vault.html - http://bit.ly/2N2uPEF

✔ Upgrade your servers regularly


Server packages and libraries are often updated when security vulnerabilities are found.
You should update them as soon as a security vulnerability is detected.

https://www.ubuntu.com/usn/ - http://bit.ly/2POJstX
https://help.ubuntu.com/community/AutomaticSecurityUpdates - http://bit.ly/2wsNgsZ
https://access.redhat.com/security/vulnerabilities - https://red.ht/2MXEfBB

✔ Use an immutable infrastructure


Use immutable infrastructure to avoid having to manage and update your servers.

https://martinfowler.com/bliki/ImmutableServer.html - http://bit.ly/2PlNh92
https://hackernoon.com/configuration-management-is-an-antipattern-
e677e34be64c#.n68b1i3eo - http://bit.ly/2wpE8F8

!15
PROTECTION

✔ Don’t store credit card information


Use third-party services to store credit card information to avoid having to manage and
protect them.

https://stripe.com/ - http://bit.ly/2BULIwI
https://www.braintreepayments.com - http://bit.ly/2wxe763
https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf - http://bit.ly/
2NuCLM1
https://medium.com/@folsen/accepting-payments-is-getting-harder-1b2f342e4ea#.
897akko4q - http://bit.ly/2BXHN2h

✔ Enforce Two-factor authentication (2FA)


Enforce 2FA on all the services used (whenever possible).

https://duo.com/ - https://duo.sc/2LEODJu
https://auth0.com/ - http://bit.ly/2wu0UM9
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-
need-to-know/ - http://bit.ly/2wu5yZW

✔ Ensure Compliance with Relevant Industry Standards


Comply to standards to ensure you follow industry best practices and answer your
customer needs. But simple compliance will never protect your apps. Make sure you also
take security seriously.

Learn more:
https://cloudsecurityalliance.org/ - http://bit.ly/2C3nTDa
https://en.wikipedia.org/wiki/ISO/IEC_27001:2013 - http://bit.ly/2C3mIDK

!16
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard - http://
bit.ly/2NxBS5x

✔ Have a public bug bounty program


A bug bounty program will allow external hackers to report vulnerabilities. Most of the
bug bounties program allow you to offer rewards for bugs found. A lot of the reports
won’t be valuable and you need security aware people inside your development teams to
evaluate the bugs you receive. These programs are good additions to other security
initiatives and can’t by no means be considered as enough.

Places to start:

Launching an Efficient and Cost-Effective Bug Bounty Program - http://bit.ly/2LEORAt


HackerOne - http://bit.ly/2NAnKIv
BugCrowd - http://bit.ly/2MGNtmo
Cobalt - http://bit.ly/2MHCU2B

✔ Have a public security policy


This is a page on your corporate website describing how you plan to respond to external
bug reports. You should advertise that you support responsible disclosure. Keep in mind
that most of the reports that you receive aren’t relevant. Don’t freak out if you receive so
called “critical disclosures”

Check out the Open Source Security Page - http://bit.ly/2LFyPX9

✔ Keep your containers protected


Use Docker (or Kubernetes), and ensure that they are patched and secure. Use tools to
automatically update and scan your containers for security vulnerabilities.

https://www.docker.com/docker-security - https://dockr.ly/2MDdm6l
https://docs.docker.com/docker-cloud/builds/image-scan/ - https://dockr.ly/2N7Sp2S

!17
https://jpetazzo.github.io/2015/05/27/docker-images-vulnerabilities/ - http://bit.ly/
2MHTr6E
https://www.slideshare.net/MichaelCherny/security-best-practices-for-kubernetes-
deployment - http://bit.ly/2LGSkym

✔ Protect against Denial Of Service (DoS)


DoS attacks are meant to break your application and make it unavailable to your
customers. Use a specific service to protect your app against Distributed Denial Of
Service attacks.

Tools:
Akamai - http://bit.ly/2optav8
Clouflare - http://bit.ly/2C0sB4t
OVH - http://bit.ly/2PQnFC7

✔ Protect your applications against breaches


A real-time protection tool like Sqreen allows you to orchestrate your app security easily.
Sqreen will enable you to get full visibility on your security, prevent data breaches,
protect your customers, and stop business logic attacks. Customize your application’s
response to attacks (block attack, log stack trace etc.) and get notified when something
important happens.

!18
MONITORING

✔ Audit your infrastructure on a regular basis


With cloud providers, it’s easy to start instances and forget about them. You will need to
create and maintain a list of your assets (servers, network devices, services exposed etc…),
and review it regularly to determine if you still need them, keep them up to date, and
ensure that they benefit from your latest deployments.

Learn more:
http://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html - https://
amzn.to/2N3ojxt
http://searchenterpriselinux.techtarget.com/tip/Creating-an-inventory-with-nmap-
network-scanning - http://bit.ly/2PkNcCf
https://github.com/Netflix/security_monkey - http://bit.ly/2olV0rZ

✔ Get notified when your app is under attack


You will be attacked. Make sure you have a monitoring system in place that will detect
security events targeting your application before it’s too late. Knowing when your
application is starting to get massively scanned is key to stop more advanced attacks.

https://www.sqreen.com/ - http://bit.ly/2MDSMTm
https://www.linode.com/docs/security/using-fail2ban-for-security#email-alerts - http://
bit.ly/2omxRWD
http://alerta.io/ - http://bit.ly/2MBU1T6

✔ Detect insiders threats


The most important attacks will come from attackers who have acquired larger attack
surfaces. Those can be attackers with regular user accounts or users having gained access
to privileged user accounts. Make sure you monitor your users to detect attackers early.

https://www.sqreen.com/ - http://bit.ly/2MDSMTm

!19
✔ Get notified when your app is under attack
You will be attacked. Make sure you have a monitoring system in place that will detect
security events targeting your application before it’s too late. Knowing when your
application is starting to get massively scanned is key to stop more advanced attacks.

https://www.sqreen.com/ - http://bit.ly/2MDSMTm
https://www.linode.com/docs/security/using-fail2ban-for-security#email-alerts - http://
bit.ly/2omxRWD
http://alerta.io/ - http://bit.ly/2MBU1T6

Trusted by security teams,


✔ Monitor third party vendors
loved by developers.
You’re likely to use third-party products to manage your servers / payrolls / logs or even
just social media. Just like you’re likely to be hacked, they can be too. Make sure you
follow the news
Monitoring andand react immediately
protection platform aftermade
a breach.
to be
incredibly powerful yet very easy to use.
https://haveibeenpwned.com/ - http://bit.ly/2ww5atT
https://twitter.com/SecurityNewsbot - http://bit.ly/2MEJarO
Unmatched security insights: Access to more
detailed security analytics than ever, including app-
level incidents you can act on immediately.

Instant Protection: Out-of-the-box modules


protect apps against a broad array of threats.
Setup takes minutes, no config required.

Easily meet enterprise compliance needs: Get


access to the best controls without hiring
expensive security teams or consultants.

!20
Start your free trial at sqreen.com
!21 www.sqreen.com

You might also like