-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #13189 from newrelic/109972-IAST-public_preview
feat(iast): new doc & imgs
- Loading branch information
Showing
12 changed files
with
323 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,316 @@ | ||
--- | ||
title: New Relic interactive applications security testing (IAST) | ||
tags: | ||
- IAST | ||
- Exploitable vulnerabilities | ||
metaDescription: Use Vulnerability Management to find exploitable vulnerabilities in your application. | ||
--- | ||
|
||
import iastSummary from 'images/iast_screenshot-crop_summary.webp' | ||
|
||
import iastInstall from 'images/IAST_screenshot-crop_install.webp' | ||
|
||
import iastAppVuln from 'images/IAST_screenshot-crop_app-vuln.webp' | ||
|
||
import iastAppCoverage from 'images/IAST_screenshot-crop_app-coverage.webp' | ||
|
||
import iastVulnDetails from 'images/iast_screenshot-crop_vuln-details.webp' | ||
|
||
import iastExploitablesAll from 'images/iast_screenshot-crop_exploitables-all.webp' | ||
|
||
import iastCoverageOverview from 'images/iast_screenshot-crop_coverage-overview.webp' | ||
|
||
import iastUntestedApps from 'images/iast_screenshot-crop_untested-apps.webp' | ||
|
||
import iastEnableIast from 'images/iast_screenshot-crop_enable-iast.webp' | ||
|
||
<Callout title="PREVIEW"> | ||
This feature is currently in preview. | ||
</Callout> | ||
|
||
When your application has exploitable vulnerabilities, it means that someone could take advantage of a misconfiguration to access sensitive information. To help prevent that, install our interactive applications security testing (IAST). | ||
|
||
<img | ||
title="IAST Summary page" | ||
alt="IAST Summary page" | ||
src={iastSummary} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST**. | ||
</figcaption> | ||
|
||
IAST helps you: | ||
|
||
- Ship code faster with unmatched detection accuracy of security risks | ||
- See and secure every application you build and run | ||
- Find, fix, and verify vulnerabilities for any application | ||
- Reduce the time and cost to eliminate vulnerabilities earlier in the software development lifecycle | ||
|
||
You can use IAST to test applications written in the following languages: | ||
|
||
- Java | ||
- NodeJS | ||
- Go | ||
|
||
## Test your application [#install] | ||
|
||
<Callout variant="important"> | ||
Run IAST with non-production deployments only to avoid exposing vulnerabilities on your production software. | ||
|
||
IAST tests your applications for any exploitable vulnerability by replaying the generated HTTP request with vulnerable payloads. | ||
</Callout> | ||
|
||
1. Go to **[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST**, and click **Start trial**. | ||
2. Read the pre-release software terms, and click **Accept** if you agree to them. | ||
3. On the left hand-side menu, under **Settings**, click **Install**. | ||
4. In the installation window, select the language of your application and complete the steps. | ||
<img | ||
title="Install IAST" | ||
alt="Install IAST" | ||
src={iastInstall} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Install**. | ||
</figcaption> | ||
|
||
5. After you've installed your application, use the APIs from your application so that New Relic can start looking for exploitable vulnerabilities. You can do so by running your own tests against your APIs. | ||
6. Once you've completed all the steps, click **See your data** to see an overview of your tested applications. | ||
|
||
## Manage exploitable vulnerabilities for an application [#app-vuln] | ||
|
||
To manage exploitable vulnerabilities for a specific application, do the following: | ||
|
||
1. Go to **[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Applications**. | ||
2. Under **Tested applications**, search for your application or select it. | ||
3. In the **Application vulnerabilities** tab, see all the exploitable vulnerabilities found in your application. | ||
<img | ||
title="Overview of the exploitable vulnerabilities found in your application." | ||
alt="Overview of the exploitable vulnerabilities found in your application." | ||
src={iastAppVuln} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Applications**, and select your application. | ||
</figcaption> | ||
|
||
4. In the **Exploitable vulnerabilities** table, select an exploitable vulnerability to explore details about the vulnerability and understand the specifics of how to address it. | ||
<img | ||
title="Exploitable vulnerability details and how to fix it." | ||
alt="Exploitable vulnerability details and how to fix it." | ||
src={iastVulnDetails} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Applications**, select your application, and select a vulnerability. | ||
</figcaption> | ||
|
||
5. Additionally, in the **Application coverage** tab, see how vulnerable each part of your application is. | ||
<img | ||
title="Vulnerability coverage of your application." | ||
alt="Vulnerability coverage of your application." | ||
src={iastAppCoverage} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Applications**, select your application and see the **Application coverage** tab. | ||
</figcaption> | ||
|
||
## Manage exploitable vulnerabilities for all your applications [#all-apps-vuln] | ||
|
||
To manage all the exploitable vulnerabilities across your application portfolio, do the following: | ||
|
||
1. Go to **[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Exploitables**. | ||
<img | ||
title="Overview of the exploitable vulnerabilities found in all your applications." | ||
alt="Overview of the exploitable vulnerabilities found in all your applications." | ||
src={iastExploitablesAll} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Exploitables**. | ||
</figcaption> | ||
|
||
|
||
2. Under **Detected exploitable vulnerabilities**, select an exploitable vulnerability, regardless of the application it belongs to, and explore details about the vulnerability and understand the specifics of how to address it. | ||
<img | ||
title="Exploitable vulnerability details and how to fix it." | ||
alt="Exploitable vulnerability details and how to fix it." | ||
src={iastVulnDetails} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Exploitables**, and select a vulnerability. | ||
</figcaption> | ||
|
||
## Fix untested applications [#untested-apps] | ||
|
||
If you have an application in New Relic that hasn't been tested for exploitable vulnerabilities, do the following: | ||
|
||
1. Go to **[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST**. | ||
2. Under **Protect untested applications**, select the application you want to test or click **See all** to search for it. | ||
3. From the **Untested applications** table, select the application you want to test. | ||
<img | ||
title="Untested applications table" | ||
alt="Untested applications table" | ||
src={iastUntestedApps} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Protect untested applications** > **See all**. | ||
</figcaption> | ||
|
||
4. In the **Enable IAST** window, follow the steps to update your application configuration so it can be tested for exploitable vulnerabilities. | ||
<img | ||
title="Enable IAST for your untested application" | ||
alt="Enable IAST for your untested application" | ||
src={iastEnableIast} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Protect untested applications**, and select an application. | ||
</figcaption> | ||
|
||
## See the exploitable vulnerabilities coverage for all your applications [#coverage] | ||
|
||
In **[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Coverage**, you can see how many of your applications have or haven't been tested for exploitable vulnerabilities, as well as an overview of the health of all your applications. | ||
|
||
If you see an application under **Untested applications** that you want to test for exploitable vulnerabilities, click **Set up IAST** to [fix the untested application](#untested-apps). | ||
|
||
<img | ||
title="Coverage for all your applications." | ||
alt="Coverage for all your applications." | ||
src={iastCoverageOverview} | ||
/> | ||
|
||
<figcaption> | ||
**[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST** > **Coverage**. | ||
</figcaption> | ||
|
||
## Query all vulnerabilities in an application [#query-vuln] | ||
|
||
Go to **[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **Query Your Data**, and run the following NRQL query: | ||
|
||
```sql | ||
SELECT * FROM Vulnerability WHERE issueType = 'Application Vulnerability' AND appId = {MY_APP_ID} | ||
``` | ||
|
||
## Troubleshooting | ||
|
||
<CollapserGroup> | ||
<Collapser | ||
id="app-not-in-NR" | ||
title="I don't see my application in IAST" | ||
> | ||
If you don't see your application in **[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST**, make sure that the application has started and then, review your application's logs for further information. | ||
</Collapser> | ||
|
||
<Collapser | ||
id="agent-working" | ||
title="I'm not sure the security agent is working" | ||
> | ||
|
||
In the `nr-security-home/logs` directory, search for the file called `LANGUAGE-security-collector-init.log`. Replace `LANGUAGE` in the path with the one you used, and make sure these steps work for you: | ||
|
||
1. If the security agent started, you'll see this message in your application `stdout`: | ||
```shell | ||
This application instance is now being scanned by New Relic Security under id {{UUID}} | ||
``` | ||
2. The security agent generates a unique identifier. For web socket connection, you'll see Node auth headers. | ||
3. The security agent gathers information about your application. | ||
4. The web socket connection to SaaS validator is established successfully. | ||
5. The security agent threads are started. | ||
6. The application instrumentation is successful. | ||
7. The application receives and applies your policies and configuration. | ||
8. You see a first event sent for validation, which means the security agent started successfully. | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="IAST-not-working" | ||
title="I'm not sure IAST is looking for vulnerabilities" | ||
> | ||
Currently, IAST shows findings only. | ||
|
||
To see IAST analysis in progress: | ||
|
||
1. Set the `loglevel` to `debug` | ||
2. Search for `Fuzz request received` in the `nr-security-home/logs/java-security-collector.log` file. | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="no-vuln" | ||
title="I don't see vulnerabilities in IAST" | ||
> | ||
If you see your application in New Relic and the security agent successfully started IAST, but you don't see vulnerabilities in **[one.newrelic.com](https://one.newrelic.com)** > **All capabilities** > **IAST**, then this could be caused by: | ||
|
||
- Your application not being vulnerable. | ||
- Your web socket connection being broken. | ||
- Your application's framework or vulnerability category not being supported. | ||
|
||
If you're not sure why this is happening, share your application's configuration and logs with our [support team](https://support.newrelic.com). | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="stability-issues" | ||
title="I'm facing application stability issues during IAST testing" | ||
> | ||
Snapshot log files are in the `nr-security-home/logs/snapshots` folder. The log file shows you the status of the security agent, resource usage, and the last five errors. | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="random-files" | ||
title="I see random files/directories in my application directory" | ||
> | ||
Yes, it is expected to see the random files/directories being generated if your application has the functionality to create files/directories as part of serving the HTTP request, IAST engine will try to probe the code path and hence create such files. The files which are created by application code under the influence of incoming HTTP requests cannot be deleted by the agent. | ||
|
||
If you are sure that none of your APIs can create files/directories, please share your application's configuration and logs with our support team at support.newrelic.com. | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="not-responding" | ||
title="My application is not responding/crashed in the IAST testing" | ||
> | ||
It's possible to see this behavior because as a part of IAST analysis, as the security agent sends new request to the application and that increases the load resulting in increase in resource utilization. This IAST analysis can also expose uncaught error/exception in your application. | ||
|
||
If the application has crashed due to resources, please increase the resources and restart the application and perform IAST testing. | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="golang-vuln" | ||
title="My Golang application vulnerability is not being detected" | ||
> | ||
For Golang, make sure that you have imported the required instrumentation packages for the libraries and frameworks that your application is using. | ||
|
||
For instance, let's suppose that your application is using the following library: | ||
|
||
``` | ||
https://github.com/robertkrimen/otto | ||
``` | ||
|
||
For this, you need to import the following instrumentation package: | ||
|
||
``` | ||
https://github.com/newrelic/csec-go-agent/instrumentation/csec_robertkrimen_otto | ||
``` | ||
|
||
</Collapser> | ||
|
||
<Collapser | ||
id="not-see" | ||
title="I'm not able to see all the expected vulnerabilities for my application running in Windows environment" | ||
> | ||
Currently it is expected to miss some vulnerabilities in the windows environment as it is not fully supported at the moment. | ||
|
||
<Callout variant="tip"> | ||
IAST must only be used in the pre-production environment | ||
</Callout> | ||
|
||
</Collapser> | ||
</CollapserGroup> |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
title: IAST | ||
path: /docs/iast | ||
pages: | ||
- title: Use IAST in New Relic | ||
path: /docs/iast/use-iast |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters