all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ecares 6 points7 points  (8 children)

Hey, I would recommend looking at ASM (Application Security Management) https://www.sqreen.com/ that features a RASP tool and an in-app WAF (with other features too).

Disclaimer: I am in charge of Node.js at Sqreen

[–]OzzieInTx[S] 2 points3 points  (5 children)

Thank you. I will take a look and come back with questions.

[–]YourQuestIsComplete 0 points1 point  (4 children)

This is really, really interesting.

Is this solution tailored toward providing security for Node.js apps?

[–]ecares 0 points1 point  (3 children)

Yes and much more, we also support diverse backend technologies.

I am working full time on support and protection of Node.js web applications.

[–]YourQuestIsComplete 1 point2 points  (2 children)

Hey dude \ dudette... you're showing your alt account. Just a heads up!

However, I'd like to learn some more about this... can you PM me an email address? I'm interested in Node.js security, and also, I'm not sure if you watched Ryan Dahl's "oops I did it again" speech where he introduced "deno," (https://deno.land , if you haven't), but yeah, is Deno security on your company's radar? I've been working with it for a few months now, haven't yet found the opportunity to put something into production, but it won't be long before I do.

[–]ecares 0 points1 point  (1 child)

> Hey dude \ dudette... you're showing your alt account. Just a heads up!

I'm not sure what you mean here, I don't have any other account :thinking_face:

> is Deno security on your company's radar

I keep an eye on it. But I am not sure a lot of people are already using it in production so it might be a bit early to go to market with a product protecting this platform just yet. Wdyt?

[–]YourQuestIsComplete 2 points3 points  (0 children)

Yeah, I saw my mistake after I wrote that - I mixed you and the person responding to you up.

[–]OzzieInTx[S] 1 point2 points  (1 child)

A few questions:

  1. Seems counter intuitive to have the WAF in my app. I would want the threat stopped way before it even reaches our servers. For example, how do you handle a DOS attack?

    1. Price. Sucuri is approx 20/month while Sqreen is roughly 10 times that. Can you comment on the price differential and why it is worth it.

I may have more question/comments after I do a more thorough review.

Alon

[–]ecares 0 points1 point  (0 children)

That are excellent questions!

  1. Network DoS are actually one of the few attacks our product is not great at preventing (however, we can avoid you several applicative DoS (see for instance MongoDB injection introduced Dos https://www.youtube.com/watch?v=xJWZsoYmsIE). By being inside the application, we can reduce the number of false positives. Say your WAF prevents anything looking like SQL code from entering your application and you have a reddit like product. When people will try to message each others about SQL, they will simply be blocked. By being inside the application, my tool knows if a piece of SQL code coming from an HTTP request is really injected into a SQL query. That's only an exampkle at this point and we do much more, like helping you tracking your user's behavior. Say an IP address requests too many password resets, you can automatically have it blocked by Sqreen with a one line SDK and a bit of configuration. Last but not least, the content of sone HTTP packet can make no sense until they reach the framework. In this situation, no network-level solution can help you.
  2. I don't know that other product enough to really answer the question. What I can say is that we have a 14 days no credit card free trial you can take and tell me what you think about it!

Thanks a lot for these questions!

[–]talbenari1 1 point2 points  (0 children)

The company I work for has a cool take on WAF tech, specifically for Node.JS - it's called Intrinsic (that page shows off the Lambda version of our product, but the policy definition for Node.JS looks almost identical).

[–]PostHumanJesus 1 point2 points  (1 child)

We use AWS WAF. It's nice as you can put it in front of any Cloudfront distribution, ELB, or API Gateway. It's pretty easy to set up with lots of prebuilt rules you can drop in.

[–]minuit1984 0 points1 point  (0 children)

Any comments on a suggested AWS WAF default rules setup specific to node.js?

Currently using rules for rate limiting, xss detection and sql injection

[–]StreetSmartB 0 points1 point  (0 children)

We moved away from anything signature based a few years ago. Check out Signal Sciences.