How India’s largest home rental marketplace protects its apps with Sqreen without false positives

Summary

Challenges

• Finding an alternative to Next-Generation Web Application Firewalls that generate false positives and block legitimate traffic
• Finding a solution that doesn’t impact the app performance and respects data privacy
• Finding a security solution that covers custom business logic threats

Solution

• Use Sqreen’s automated application security solution
• Use Sqreen’s automation playbooks to prevent attacks against the business logic of the app

Benefits

• Improving the security of the platform without slowing development speed and without requiring massive security resources
• Absolutely no false positives in 2 years of usage
• A complete application security coverage that also covers all application security risks from DDoS, to SQL injections, to XSS or custom business logic threats

---

Nestaway is disrupting the real estate industry in India. As India’s fastest growing “managed home rental”​ marketplace, it provides the best rental experience for homeowners and renters.

Founded in 2015, the company raised over $90M and is backed by investors including Goldman Sachs and Tiger Global Management. Today the company has more than 63,000 tenants and 24,000 houses in their network. Over 100 engineers work on improving the platform. The main app is written in Ruby on Rails with a few microservices in Node.js and GoLang.

For a company collecting a lot of personal data about its users, security was always a big concern. The first full-time security engineer joined the company about 2 years in. After several critical vulnerabilities were uncovered (mainly SQL injections and XSS), the team was given the task to secure the applications.

Protecting customer data without false positives

Finding and fixing every vulnerability is not a feasible solution and would slow down development velocity. The NestAway security team looked therefore for a real-time protection solution. They tested several leading Web Application Firewalls (WAF) but they were triggering a lot of false positives and blocking valid users from using the app. Web Application Firewalls use lists of signatures/patterns to differentiate malicious requests from valid ones and are, therefore, prone to false positives and easily bypassable.

“You shouldn’t rely on any pattern matching security solution to protect your sensitive data. 6 out of 10 requests blocked by web application firewalls are false positives.“
Smruti Parida, CTO of Nestaway

Nestaway’s security team looked for an alternative solution and found Sqreen, that offered an entirely new approach to application security. They liked the fact that Sqreen doesn’t sit at the edge of an application and uses the full context of application requests to detect and block malicious activities.

The easy installation process allowed the security team to test Sqreen autonomously without requiring support from other engineering departments. Installing Sqreen only meant deploying a simple dependency into the app. No specific configurations were required and it just took a few minutes to deploy Sqreen.

After intensively testing Sqreen on a staging environment, Nestaway’s security team was able to confirm that compared to next-generation firewalls, Sqreen wasn’t blocking any legitimate traffic.

“In 2 years of usage, we’ve never experienced one single false positives on Sqreen and all of this without impacting the performance of our app. Security product shouldn’t have any impact on customers.”
Smruti Parida, CTO of Nestaway

Sqreen allows Nestaway to protect sensitive customer data against every major OWASP top 10 attack without triggering false positives. The security team doesn’t need to spend any time triaging false alerts and by being inside the application, Sqreen doesn’t redirect traffic and respects the data privacy of Nestaway.

Protecting against business logic flaws

After improving Nestaway’s security against database injections, cross-site scripting attacks and more; Nestaway was facing more and more very specific attacks targeting business functions of the application.

One of the biggest flaws of next-generation web application firewalls is their incapacity of protection against attacks targeting the business logic of applications. Sqreen offers a way to automate the response of an application based on security signals collected by Sqreen or custom events sent to Sqreen.

“The extensibility of the Sqreen security platform gives us all the tools required to insert custom security protections inside our applications easily. Today, we’ve got rid of the in-house systems we built and there’s no known attack type that is not covered by Sqreen’s security solution.”
Smruti Parida, CTO of Nestaway

Building new custom security playbooks is just a matter of minutes for Nestaway. Some of the rules they implemented protect the app from malicious admin connections, bad bots, application-layer DDoS attacks, application abuses etc.

Today, Nestaway uses Sqreen’s playbooks to log the attack info of every single type of attacks possible. CSRF, Insecure Direct Object Reference, DDoS and more are all covered by Sqreen playbooks!

Not just your standard security monitoring tool

One of the biggest caveats of traditional security solutions is the number of useless alerts they trigger. A security team needs to develop a very high sense of priority, and make sure it doesn’t spend time on meaningless attacks.

By being inside an application, Sqreen can differentiate small attacks that stay at the edge of an attacks surface from deeper attacks that require immediate attention. Only meaningful or actionable alerts are sent to the team.

“Sqreen’s intelligent notification system allows us to stay focused on what really matters. We only get notified over Slack when our attention is needed.”
Smruti Parida, CTO of Nestaway

Takeaways

Using Sqreen enabled Nestaway to improve their security without slowing down their processes and without requiring massive security resources. Sqreen offers Nestaway a complete and automated security coverage that protects from both custom logic threats and common OWASP Top 10 attacks.

---

To know more about Sqreen, visit our product page or request a demo for a live presentation to learn how Sqreen can help you protect your apps, APIs or microservices.