-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nr 324109 updating iast Dec 13 #19529
base: develop
Are you sure you want to change the base?
Changes from all commits
d365c6f
f888be7
d8ae25b
5833eea
899a860
f427355
26c7216
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,44 +9,179 @@ | |
--- | ||
|
||
<Callout variant="important"> | ||
Run IAST with non-production deployments only. IAST tests by invoking HTTP requests with an exploit payload. You must use IAST in non-production environments with only simulated data to avoid both data corruption and introducing exploits into your live code. In addition, when you run IAST on new code in pre-production, you catch potential vulnerabilities before they go live. | ||
Run IAST with non-production deployments only. IAST tests the application by | ||
invoking HTTP requests with an exploit payload. You must use IAST in | ||
non-production environments with only simulated data to avoid both data | ||
corruption and introducing exploits into your live code. In addition, when you | ||
Check notice on line 15 in src/content/docs/iast/install.mdx GitHub Actions / vale[vale] src/content/docs/iast/install.mdx#L15
Raw output
|
||
run IAST on new code in pre-production, you catch potential vulnerabilities | ||
before they go live. | ||
</Callout> | ||
|
||
## Install New Relic IAST | ||
|
||
There are primarily five stages involved in successful installation of IAST: | ||
|
||
1. [Safety check](#safety-check) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not parallel. Fix. |
||
2. [Selection of application language](#selection-of-application-language) | ||
3. [Updating the APM agent](#updating-the-apm-agent) | ||
4. [Setting up the security agent](#setting-up-the-security-agent) | ||
5. [Restart and test the application](#restart-and-test-the-application) | ||
|
||
<CONTRIBUTOR_NOTE> | ||
Check warning on line 30 in src/content/docs/iast/install.mdx GitHub Actions / vale[vale] src/content/docs/iast/install.mdx#L30
Raw output
|
||
I may need to delete the above steps as these steps do not align with our Style guide. | ||
Check failure on line 31 in src/content/docs/iast/install.mdx GitHub Actions / vale[vale] src/content/docs/iast/install.mdx#L31
Raw output
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this a comment? |
||
</CONTRIBUTOR_NOTE> | ||
|
||
To install New Relic IAST: | ||
|
||
<Steps> | ||
<Step> | ||
Go to <DNT>**[one.newrelic.com](https://one.newrelic.com) > All capabilities > IAST**</DNT> and click <DNT>**Set up IAST with applications**</DNT>. | ||
Go to <DNT>**[one.newrelic.com](https://one.newrelic.com) > All capabilities > IAST** </DNT> and click <DNT>**Install**</DNT>. Click <DNT>**Start trial**</DNT> to start a free 30-day trial of IAST. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There are two steps here. |
||
|
||
<img | ||
title="Start a free, 30-day IAST trial" | ||
alt="Start a free, 30-day IAST trial" | ||
src="/images/iast_screenshot-full_install.webp" | ||
/> | ||
|
||
Click <DNT>**Set up IAST with applications**</DNT> to start trial of IAST. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Global comment: Ensure all instructions follow [], , format. |
||
|
||
<img | ||
title="Set up IAST with applications" | ||
alt="Set up IAST with applications" | ||
src="/images/iast_screenshot-full_install.webp" | ||
src="/images/iast-instructions.webp" | ||
/> | ||
|
||
|
||
</Step> | ||
|
||
<Step> | ||
Confirm IAST isn't running in a production environment and click <DNT>**Continue**</DNT>. | ||
|
||
<Callout variant="important"> | ||
Before you start IAST installation, review the IAST testing steps and how exploitable vulnerabilities are detected. | ||
Check notice on line 60 in src/content/docs/iast/install.mdx GitHub Actions / vale[vale] src/content/docs/iast/install.mdx#L60
Raw output
|
||
For more information, refer: [IAST exploitable vulnerabilities](https://docs.newrelic.com/docs/iast/exploitable-vulns/) | ||
</Callout> | ||
|
||
</Step> | ||
## Safety check | ||
|
||
Make sure IAST is not running in the production environment and click <DNT>**Continue**</DNT>. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Repeated information. |
||
<img | ||
title="IAST Install Instruction Screen" | ||
alt="IAST Installation Instruction Screen" | ||
src="/images/iast-install-steps.webp" | ||
/> | ||
|
||
</Step> | ||
|
||
<Step> | ||
Select the language of your application and complete the steps. | ||
|
||
## Selection of application language | ||
|
||
Select the language of your application and complete the steps. The application languages supported are: Java, Node, and Go. | ||
<img | ||
title="Install New Relic IAST" | ||
alt="Install New Relic IAST" | ||
src="/images/iast_screenshot-crop_install.webp" | ||
/> | ||
</Step> | ||
|
||
Once you select the application language, make sure to follow the on-screen instructions. | ||
|
||
<Callout variant="tip"> | ||
- It is advisable to watch the [relevant application language video](/docs/iast/install/#check-out-these-demo-videos-for-setting-up-iast-with-different-application-languages) for successful installation of IAST. | ||
Check notice on line 89 in src/content/docs/iast/install.mdx GitHub Actions / vale[vale] src/content/docs/iast/install.mdx#L89
Raw output
Check failure on line 89 in src/content/docs/iast/install.mdx GitHub Actions / vale[vale] src/content/docs/iast/install.mdx#L89
Raw output
|
||
</Callout> | ||
|
||
</Step> | ||
|
||
<Step> | ||
|
||
## Update the APM agent | ||
|
||
<CollapserGroup> | ||
<Collapser | ||
id="update-apm-agent-for-java" | ||
title="Update the APM agent for Java application language" | ||
> | ||
|
||
Update the APM agent to the latest version. The minimum version supported is: v8.9.0. To update the java agent, follow these on-screen [instructions](https://docs.newrelic.com/docs/apm/agents/java-agent/installation/update-java-agent/) and verify the agent version using the command: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Confusing. Are we updating the APM agent or the Java agent? |
||
|
||
``` | ||
java -jar newrelic.jar -v | ||
|
||
``` | ||
|
||
Click **Next** to configure the security agent. | ||
|
||
<img | ||
title="Install New Relic IAST" | ||
alt="Install New Relic IAST" | ||
src="/images/iast-install-java.webp" | ||
/> | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="setup-application-using-node" | ||
title="Update the APM agent for node.js runtime environment" | ||
> | ||
Update to the latest version of the agent (minimum v12.0.0). To update the Node.js agent, follow your standard procedures and run the following process as a terminal command or as a script: | ||
|
||
``` | ||
npm install newrelic@latest | ||
|
||
``` | ||
|
||
Click **Next** to configure the security agent. | ||
|
||
<img | ||
title="Update the APM agent for node.js runtime environment" | ||
alt="Update the APM agent for node.js runtime environment" | ||
src="/images/update-apm-agent-for-node-js-runtime environment.webp" | ||
/> | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="setup-application-using-node" | ||
title="Update the APM for Go agent" | ||
> | ||
Update to the latest version of the agent (minimum v3.30.0) | ||
To update the Go agent, follow your standard procedures to run the following process as a terminal command or as a script. | ||
From http://github.com/newrelic/go-agent, use this process: | ||
|
||
``` | ||
go get -u github.com/newrelic/go-agent/v3/newrelic | ||
|
||
``` | ||
|
||
Click **Next** to configure the security agent. | ||
|
||
<img | ||
title="Update the APM for Go agentagent" | ||
alt="Update the APM for Go agent" | ||
src="/images/update-apm-for-go-agent.webp" | ||
/> | ||
|
||
</Collapser> | ||
|
||
</CollapserGroup> | ||
|
||
</Step> | ||
|
||
<Step> | ||
Make sure your `newrelic.yml` config file is updated as follows: | ||
|
||
## Configure the security agent | ||
|
||
<CollapserGroup> | ||
<Collapser | ||
id="setup-security-agent-java" | ||
title="Configure the security agent for java application" | ||
> | ||
|
||
Configure the security agent by enabling the security agent settings. Make sure your `newrelic.yml` config file is updated as follows: | ||
|
||
<CollapserGroup> | ||
<Collapser | ||
id="config-file-example" | ||
title={<><InlineCode>newrelic.yml</InlineCode> config file</>} | ||
title={<><InlineCode>newrelic.yml</InlineCode> config file (This setting is common for EU and Fed users)</>} | ||
> | ||
```yml | ||
security: | ||
|
@@ -82,20 +217,180 @@ | |
``` | ||
</Collapser> | ||
</CollapserGroup> | ||
</Step> | ||
|
||
{/* - `newrelic.yml` config file (This setting is common for EU and Fed users) | ||
|
||
```yml | ||
security: | ||
enabled: true | ||
agent: | ||
enabled: true | ||
``` | ||
|
||
- `newrelic.yml` config file for EU | ||
|
||
```yml | ||
security: | ||
enabled: true | ||
agent: | ||
enabled: true | ||
validator_service_url: wss://csec.eu01.nr-data.net | ||
``` | ||
- `newrelic.yml` config file for Fed users | ||
|
||
```yml | ||
security: | ||
enabled: true | ||
agent: | ||
enabled: true | ||
validator_service_url: wss://csec-gov.nr-data.net | ||
``` */} | ||
|
||
Set the `security.enabled` and `security.agent.enabled` flag to true in the **newrelic.yml** config file. Make sure the `high_security` in **newrelic.yml** is turned off for the IAST to work. | ||
|
||
<img | ||
title="IAST Full Configuration" | ||
alt="IAST Full Configuration" | ||
src="/images/iast-full-configuration.webp" | ||
/> | ||
|
||
The code shown above for **Configure the security agent** is the bare minimum requirement to start the IAST. | ||
|
||
To fully configure the IAST, click on `Advanced security agent configurations` and copy the **Security Config** Code. Now open the **newrelic.yml** file and paste the copied code below `high_security: false`. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not "click on" |
||
|
||
<Callout variant="tip"> | ||
|
||
`yml` is sensitive to indents and spacing, make sure the code pasted in **newrelic.yml** file is lined up underneath the high security settings: | ||
|
||
</Callout> | ||
|
||
<img | ||
title="yml to paste code for full configuration" | ||
alt="yml to paste code" | ||
src="/images/yml-to-paste-code.webp" | ||
/> | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="demo-install-nodejs" | ||
title="Configure the security agent for node.js" | ||
> | ||
Configure the security agent by enabling the security agent settings. | ||
|
||
To enable the security agent, set the `security.enabled` and `security.agent.enabled` flag to true in the newrelic.js config file present at the root directory of your app. | ||
|
||
Make sure that the `high_security` mode is turned off for the IAST to work. | ||
|
||
<img | ||
title="Configure the security agent for node.js" | ||
alt="Configure the security agent for node.js" | ||
src="/images/configure-the-security-agent-for-node-js.webp" | ||
/> | ||
|
||
The code shown above for **Configure the security agent** is the bare minimum requirement to start the IAST. | ||
|
||
To fully configure the IAST, click on `Advanced security agent configurations` and copy the **Security Config** Code. Add the code... | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="demo-install-nodejs" | ||
title="Configure the Go agent" | ||
> | ||
Configure the security agent by following the below steps: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. the below > these |
||
|
||
<img | ||
title="Configure the Go agent" | ||
alt="Configure the Go agent" | ||
src="/images/configure-go-agent.webp" | ||
/> | ||
|
||
1. Add this integration to your application by importing. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. by importing what? |
||
|
||
From https://github.com/newrelic/go-agent/tree/master/v3/integrations/nrsecurityagent, use this command: | ||
|
||
``` | ||
import "github.com/newrelic/go-agent/v3/integrations/nrsecurityagent" | ||
|
||
``` | ||
|
||
1. Enable IAST testing by adding code to initialize the integration after your call to `newrelic.NewApplication`. | ||
|
||
``` | ||
app, err := newrelic.NewApplication( | ||
newrelic.ConfigAppName("Your Application Name"), | ||
newrelic.ConfigLicense("NEW_RELIC_LICENSE_KEY"), | ||
) | ||
|
||
``` | ||
|
||
Initialize the `nrsecurityagent` as given below: | ||
|
||
``` | ||
err := nrsecurityagent.InitSecurityAgent( | ||
app, | ||
nrsecurityagent.ConfigSecurityEnable(true), | ||
nrsecurityagent.ConfigSecurityValidatorServiceEndPointUrl("wss://csec.nr-data.net"), | ||
) | ||
|
||
``` | ||
|
||
1. Please ensure that you wrap your framework router with the WrapRouter function for [Echo](https://pkg.go.dev/github.com/newrelic/go-agent/v3/integrations/nrecho-v4#WrapRouter), [Gin](https://pkg.go.dev/github.com/newrelic/go-agent/v3/integrations/nrgin#WrapRouter), [Gorilla](https://pkg.go.dev/github.com/newrelic/go-agent/v3/integrations/nrgorilla#WrapRouter) frameworks. This is crucial for detecting routes(API endpoints) and enabling provable security in your application. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No "please" |
||
|
||
1. If you are opening an HTTP protocol endpoint, place the [newrelic.WrapListen](https://pkg.go.dev/github.com/newrelic/go-agent/v3/newrelic#WrapListen) function around the endpoint name to enable vulnerability scanning against that endpoint. For example: | ||
|
||
``` | ||
http.ListenAndServe(newrelic.WrapListen(":8000"), nil) | ||
|
||
``` | ||
|
||
**Note:** Skip this step if you are on linux environment. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Linux capitalization |
||
|
||
1. Based on additional packages imported by the user application, add suitable instrumentation package [Instrumentation packages](https://github.com/newrelic/csec-go-agent#instrumentation-packages). | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. add the suitable instrumentation packages |
||
|
||
Make sure that the HighSecurity mode is turned off for the IAST to work. | ||
|
||
Click **Next** to restart and test the application. | ||
|
||
</Collapser> | ||
|
||
</CollapserGroup> | ||
|
||
</Step> | ||
|
||
<Step> | ||
Once you've completed all the steps, restart your application and generate traffic against the application's APIs. | ||
## Restart and test the application | ||
|
||
To start testing with the IAST agent, restart your application and generate traffic against your application’s APIs. Click <DNT>**See your data**</DNT> for an overview of your tested application. | ||
|
||
<img | ||
title="Install New Relic IAST" | ||
alt="New Relic IAST on-screen instructions" | ||
src="/images/iast-see-your-data-button.webp" | ||
/> | ||
|
||
</Step> | ||
|
||
<Step> | ||
Click <DNT>**See your data**</DNT> to see an overview of your tested application. | ||
|
||
## Test application window | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is this a step? |
||
|
||
The below screen will show IAST test results as per your configurations. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The following screen |
||
|
||
<img | ||
title="Install New Relic IAST" | ||
alt="New Relic IAST See your data tab" | ||
src="/images/iast-see-your-data.webp" | ||
/> | ||
|
||
To reach the test application window, go to <DNT>**[one.newrelic.com](https://one.newrelic.com) > All capabilities > IAST** </DNT> and click <DNT>**Testing Status**</DNT>. | ||
|
||
</Step> | ||
|
||
</Steps> | ||
|
||
For more detailed instructions, check out these examples demo below. | ||
## Check out these demo videos for setting up IAST with different application languages | ||
|
||
<CollapserGroup> | ||
<Collapser | ||
|
@@ -108,6 +403,7 @@ | |
type="wistia" | ||
id="dbipyzuyok" | ||
/> | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
|
@@ -120,5 +416,6 @@ | |
type="wistia" | ||
id="1m2suxuvuz" | ||
/> | ||
|
||
</Collapser> | ||
</CollapserGroup> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many of the screenshots in this article dont seem to add value. Discuss with me.