Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nr 324109 updating iast Dec 13 #19529

Open
wants to merge 7 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ redirects:
- /docs/accounts/accounts/account-maintenance/unsubscribe-new-relic-emails
freshnessValidatedDate: never
---

* Test branch
In your New Relic account settings, you can subscribe and unsubscribe to specific types of emails, and edit other email preferences.

<Callout variant="tip">
Expand Down
323 changes: 310 additions & 13 deletions src/content/docs/iast/install.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -9,44 +9,179 @@
---

<Callout variant="important">
Run IAST with non-production deployments only. IAST tests by invoking HTTP requests with an exploit payload. You must use IAST in non-production environments with only simulated data to avoid both data corruption and introducing exploits into your live code. In addition, when you run IAST on new code in pre-production, you catch potential vulnerabilities before they go live.
Run IAST with non-production deployments only. IAST tests the application by
invoking HTTP requests with an exploit payload. You must use IAST in
non-production environments with only simulated data to avoid both data
corruption and introducing exploits into your live code. In addition, when you

Check notice on line 15 in src/content/docs/iast/install.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] src/content/docs/iast/install.mdx#L15

[Microsoft.Wordiness] Consider using 'also' instead of 'In addition'.
Raw output
{"message": "[Microsoft.Wordiness] Consider using 'also' instead of 'In addition'.", "location": {"path": "src/content/docs/iast/install.mdx", "range": {"start": {"line": 15, "column": 60}}}, "severity": "INFO"}
run IAST on new code in pre-production, you catch potential vulnerabilities
before they go live.
</Callout>

## Install New Relic IAST

There are primarily five stages involved in successful installation of IAST:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many of the screenshots in this article dont seem to add value. Discuss with me.


1. [Safety check](#safety-check)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not parallel. Fix.

2. [Selection of application language](#selection-of-application-language)
3. [Updating the APM agent](#updating-the-apm-agent)
4. [Setting up the security agent](#setting-up-the-security-agent)
5. [Restart and test the application](#restart-and-test-the-application)

<CONTRIBUTOR_NOTE>

Check warning on line 30 in src/content/docs/iast/install.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] src/content/docs/iast/install.mdx#L30

[Microsoft.FirstPerson] Use first person (such as ' I') sparingly.
Raw output
{"message": "[Microsoft.FirstPerson] Use first person (such as ' I') sparingly.", "location": {"path": "src/content/docs/iast/install.mdx", "range": {"start": {"line": 30, "column": 19}}}, "severity": "WARNING"}
I may need to delete the above steps as these steps do not align with our Style guide.

Check failure on line 31 in src/content/docs/iast/install.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] src/content/docs/iast/install.mdx#L31

[Microsoft.Contractions] Use 'don't' instead of 'do not'.
Raw output
{"message": "[Microsoft.Contractions] Use 'don't' instead of 'do not'.", "location": {"path": "src/content/docs/iast/install.mdx", "range": {"start": {"line": 31, "column": 53}}}, "severity": "ERROR"}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a comment?

</CONTRIBUTOR_NOTE>

To install New Relic IAST:

<Steps>
<Step>
Go to <DNT>**[one.newrelic.com](https://one.newrelic.com) > All capabilities > IAST**</DNT> and click <DNT>**Set up IAST with applications**</DNT>.
Go to <DNT>**[one.newrelic.com](https://one.newrelic.com) > All capabilities > IAST** </DNT> and click <DNT>**Install**</DNT>. Click <DNT>**Start trial**</DNT> to start a free 30-day trial of IAST.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two steps here.
Follow the , , format for instructions.


<img
title="Start a free, 30-day IAST trial"
alt="Start a free, 30-day IAST trial"
src="/images/iast_screenshot-full_install.webp"
/>

Click <DNT>**Set up IAST with applications**</DNT> to start trial of IAST.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Global comment: Ensure all instructions follow [], , format.


<img
title="Set up IAST with applications"
alt="Set up IAST with applications"
src="/images/iast_screenshot-full_install.webp"
src="/images/iast-instructions.webp"
/>


</Step>

<Step>
Confirm IAST isn't running in a production environment and click <DNT>**Continue**</DNT>.

<Callout variant="important">
Before you start IAST installation, review the IAST testing steps and how exploitable vulnerabilities are detected.

Check notice on line 60 in src/content/docs/iast/install.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] src/content/docs/iast/install.mdx#L60

[Microsoft.Passive] 'are detected' looks like passive voice.
Raw output
{"message": "[Microsoft.Passive] 'are detected' looks like passive voice.", "location": {"path": "src/content/docs/iast/install.mdx", "range": {"start": {"line": 60, "column": 105}}}, "severity": "INFO"}
For more information, refer: [IAST exploitable vulnerabilities](https://docs.newrelic.com/docs/iast/exploitable-vulns/)
</Callout>

</Step>
## Safety check

Make sure IAST is not running in the production environment and click <DNT>**Continue**</DNT>.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Repeated information.

<img
title="IAST Install Instruction Screen"
alt="IAST Installation Instruction Screen"
src="/images/iast-install-steps.webp"
/>

</Step>

<Step>
Select the language of your application and complete the steps.

## Selection of application language

Select the language of your application and complete the steps. The application languages supported are: Java, Node, and Go.
<img
title="Install New Relic IAST"
alt="Install New Relic IAST"
src="/images/iast_screenshot-crop_install.webp"
/>
</Step>

Once you select the application language, make sure to follow the on-screen instructions.

<Callout variant="tip">
- It is advisable to watch the [relevant application language video](/docs/iast/install/#check-out-these-demo-videos-for-setting-up-iast-with-different-application-languages) for successful installation of IAST.

Check notice on line 89 in src/content/docs/iast/install.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] src/content/docs/iast/install.mdx#L89

[Microsoft.SentenceLength] Try to keep sentences short (< 30 words).
Raw output
{"message": "[Microsoft.SentenceLength] Try to keep sentences short (\u003c 30 words).", "location": {"path": "src/content/docs/iast/install.mdx", "range": {"start": {"line": 89, "column": 5}}}, "severity": "INFO"}

Check failure on line 89 in src/content/docs/iast/install.mdx

View workflow job for this annotation

GitHub Actions / vale

[vale] src/content/docs/iast/install.mdx#L89

[Microsoft.Contractions] Use 'it's' instead of 'It is'.
Raw output
{"message": "[Microsoft.Contractions] Use 'it's' instead of 'It is'.", "location": {"path": "src/content/docs/iast/install.mdx", "range": {"start": {"line": 89, "column": 5}}}, "severity": "ERROR"}
</Callout>

</Step>

<Step>

## Update the APM agent

<CollapserGroup>
<Collapser
id="update-apm-agent-for-java"
title="Update the APM agent for Java application language"
>

Update the APM agent to the latest version. The minimum version supported is: v8.9.0. To update the java agent, follow these on-screen [instructions](https://docs.newrelic.com/docs/apm/agents/java-agent/installation/update-java-agent/) and verify the agent version using the command:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confusing. Are we updating the APM agent or the Java agent?
Capitlization for Java is wrong.


```
java -jar newrelic.jar -v

```

Click **Next** to configure the security agent.

<img
title="Install New Relic IAST"
alt="Install New Relic IAST"
src="/images/iast-install-java.webp"
/>

</Collapser>

<Collapser
id="setup-application-using-node"
title="Update the APM agent for node.js runtime environment"
>
Update to the latest version of the agent (minimum v12.0.0). To update the Node.js agent, follow your standard procedures and run the following process as a terminal command or as a script:

```
npm install newrelic@latest

```

Click **Next** to configure the security agent.

<img
title="Update the APM agent for node.js runtime environment"
alt="Update the APM agent for node.js runtime environment"
src="/images/update-apm-agent-for-node-js-runtime environment.webp"
/>

</Collapser>

<Collapser
id="setup-application-using-node"
title="Update the APM for Go agent"
>
Update to the latest version of the agent (minimum v3.30.0)
To update the Go agent, follow your standard procedures to run the following process as a terminal command or as a script.
From http://github.com/newrelic/go-agent, use this process:

```
go get -u github.com/newrelic/go-agent/v3/newrelic

```

Click **Next** to configure the security agent.

<img
title="Update the APM for Go agentagent"
alt="Update the APM for Go agent"
src="/images/update-apm-for-go-agent.webp"
/>

</Collapser>

</CollapserGroup>

</Step>

<Step>
Make sure your `newrelic.yml` config file is updated as follows:

## Configure the security agent

<CollapserGroup>
<Collapser
id="setup-security-agent-java"
title="Configure the security agent for java application"
>

Configure the security agent by enabling the security agent settings. Make sure your `newrelic.yml` config file is updated as follows:

<CollapserGroup>
<Collapser
id="config-file-example"
title={<><InlineCode>newrelic.yml</InlineCode> config file</>}
title={<><InlineCode>newrelic.yml</InlineCode> config file (This setting is common for EU and Fed users)</>}
>
```yml
security:
Expand Down Expand Up @@ -82,20 +217,180 @@
```
</Collapser>
</CollapserGroup>
</Step>

{/* - `newrelic.yml` config file (This setting is common for EU and Fed users)

```yml
security:
enabled: true
agent:
enabled: true
```

- `newrelic.yml` config file for EU

```yml
security:
enabled: true
agent:
enabled: true
validator_service_url: wss://csec.eu01.nr-data.net
```
- `newrelic.yml` config file for Fed users

```yml
security:
enabled: true
agent:
enabled: true
validator_service_url: wss://csec-gov.nr-data.net
``` */}

Set the `security.enabled` and `security.agent.enabled` flag to true in the **newrelic.yml** config file. Make sure the `high_security` in **newrelic.yml** is turned off for the IAST to work.

<img
title="IAST Full Configuration"
alt="IAST Full Configuration"
src="/images/iast-full-configuration.webp"
/>

The code shown above for **Configure the security agent** is the bare minimum requirement to start the IAST.

To fully configure the IAST, click on `Advanced security agent configurations` and copy the **Security Config** Code. Now open the **newrelic.yml** file and paste the copied code below `high_security: false`.
Copy link
Contributor

@vpayyapilly vpayyapilly Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not "click on"
copy the Security Config Code > code should be in lowercase
copied code below > copied code after


<Callout variant="tip">

`yml` is sensitive to indents and spacing, make sure the code pasted in **newrelic.yml** file is lined up underneath the high security settings:

</Callout>

<img
title="yml to paste code for full configuration"
alt="yml to paste code"
src="/images/yml-to-paste-code.webp"
/>

</Collapser>

<Collapser
id="demo-install-nodejs"
title="Configure the security agent for node.js"
>
Configure the security agent by enabling the security agent settings.

To enable the security agent, set the `security.enabled` and `security.agent.enabled` flag to true in the newrelic.js config file present at the root directory of your app.

Make sure that the `high_security` mode is turned off for the IAST to work.

<img
title="Configure the security agent for node.js"
alt="Configure the security agent for node.js"
src="/images/configure-the-security-agent-for-node-js.webp"
/>

The code shown above for **Configure the security agent** is the bare minimum requirement to start the IAST.

To fully configure the IAST, click on `Advanced security agent configurations` and copy the **Security Config** Code. Add the code...

</Collapser>

<Collapser
id="demo-install-nodejs"
title="Configure the Go agent"
>
Configure the security agent by following the below steps:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the below > these


<img
title="Configure the Go agent"
alt="Configure the Go agent"
src="/images/configure-go-agent.webp"
/>

1. Add this integration to your application by importing.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

by importing what?


From https://github.com/newrelic/go-agent/tree/master/v3/integrations/nrsecurityagent, use this command:

```
import "github.com/newrelic/go-agent/v3/integrations/nrsecurityagent"

```

1. Enable IAST testing by adding code to initialize the integration after your call to `newrelic.NewApplication`.

```
app, err := newrelic.NewApplication(
newrelic.ConfigAppName("Your Application Name"),
newrelic.ConfigLicense("NEW_RELIC_LICENSE_KEY"),
)

```

Initialize the `nrsecurityagent` as given below:

```
err := nrsecurityagent.InitSecurityAgent(
app,
nrsecurityagent.ConfigSecurityEnable(true),
nrsecurityagent.ConfigSecurityValidatorServiceEndPointUrl("wss://csec.nr-data.net"),
)

```

1. Please ensure that you wrap your framework router with the WrapRouter function for [Echo](https://pkg.go.dev/github.com/newrelic/go-agent/v3/integrations/nrecho-v4#WrapRouter), [Gin](https://pkg.go.dev/github.com/newrelic/go-agent/v3/integrations/nrgin#WrapRouter), [Gorilla](https://pkg.go.dev/github.com/newrelic/go-agent/v3/integrations/nrgorilla#WrapRouter) frameworks. This is crucial for detecting routes(API endpoints) and enabling provable security in your application.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No "please"
This is crucial to detect routes (API endpoints) and to detect


1. If you are opening an HTTP protocol endpoint, place the [newrelic.WrapListen](https://pkg.go.dev/github.com/newrelic/go-agent/v3/newrelic#WrapListen) function around the endpoint name to enable vulnerability scanning against that endpoint. For example:

```
http.ListenAndServe(newrelic.WrapListen(":8000"), nil)

```

**Note:** Skip this step if you are on linux environment.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Linux capitalization


1. Based on additional packages imported by the user application, add suitable instrumentation package [Instrumentation packages](https://github.com/newrelic/csec-go-agent#instrumentation-packages).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add the suitable instrumentation packages


Make sure that the HighSecurity mode is turned off for the IAST to work.

Click **Next** to restart and test the application.

</Collapser>

</CollapserGroup>

</Step>

<Step>
Once you've completed all the steps, restart your application and generate traffic against the application's APIs.
## Restart and test the application

To start testing with the IAST agent, restart your application and generate traffic against your application’s APIs. Click <DNT>**See your data**</DNT> for an overview of your tested application.

<img
title="Install New Relic IAST"
alt="New Relic IAST on-screen instructions"
src="/images/iast-see-your-data-button.webp"
/>

</Step>

<Step>
Click <DNT>**See your data**</DNT> to see an overview of your tested application.

## Test application window
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this a step?


The below screen will show IAST test results as per your configurations.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following screen


<img
title="Install New Relic IAST"
alt="New Relic IAST See your data tab"
src="/images/iast-see-your-data.webp"
/>

To reach the test application window, go to <DNT>**[one.newrelic.com](https://one.newrelic.com) > All capabilities > IAST** </DNT> and click <DNT>**Testing Status**</DNT>.

</Step>

</Steps>

For more detailed instructions, check out these examples demo below.
## Check out these demo videos for setting up IAST with different application languages

<CollapserGroup>
<Collapser
Expand All @@ -108,6 +403,7 @@
type="wistia"
id="dbipyzuyok"
/>

</Collapser>

<Collapser
Expand All @@ -120,5 +416,6 @@
type="wistia"
id="1m2suxuvuz"
/>

</Collapser>
</CollapserGroup>
Binary file added static/images/Iast-Instructions.webp
Binary file not shown.
Binary file added static/images/configure-go-agent.webp
Binary file not shown.
Binary file not shown.
Binary file added static/images/iast-full-configuration.webp
Binary file not shown.
Binary file added static/images/iast-install-java.webp
Binary file not shown.
Binary file added static/images/iast-install-steps.webp
Binary file not shown.
Binary file added static/images/iast-see-your-data-button.webp
Binary file not shown.
Binary file added static/images/iast-see-your-data.webp
Binary file not shown.
Binary file modified static/images/iast_screenshot-crop_install.webp
Binary file not shown.
Binary file modified static/images/iast_screenshot-full_install.webp
Binary file not shown.
Binary file added static/images/iast_screenshot-full_install1.webp
Binary file not shown.
Binary file not shown.
Binary file added static/images/update-apm-for-go-agent.webp
Binary file not shown.
Loading