-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(iast): new doc & imgs #13189
feat(iast): new doc & imgs #13189
Conversation
Hi @x8a 👋 Thanks for your pull request! Your PR is in a queue, and a writer will take a look soon. We generally publish small edits within one business day, and larger edits within three days. Gatsby Cloud will automatically generate a preview of your request, and will comment with a link when the preview is ready (usually 20 to 30 minutes). |
✅ docs-website-develop deploy preview ready
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I probably would add an introductory text, other than that it's perfect ;-)
- Troubleshooting | ||
metaDescription: Use Vulnerability Management to find exploitable vulnerabilities in your application. | ||
--- | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd add here an introduction about the page
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! I'm waiting on the PM to send me some content for the intro 🙌🏻.
src/nav/root.yml
Outdated
@@ -55,6 +55,8 @@ pages: | |||
path: integrations | |||
- title: Vulnerability Management | |||
path: vuln-management | |||
- title: Interactive applications security testing (IAST) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please move this top level IAST category so it's alphabetical in the nav, between Errors inbox and Open-source integrations.
Also, can we get away with just having it be IAST in the left nav?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep!
@@ -0,0 +1,51 @@ | |||
--- | |||
title: Troubleshooting for interactive applications security testing (IAST) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doc feels weird as a standalone thing. It doesn't quite much our troubleshooting doc guidelines: https://docs.newrelic.com/docs/style-guide/writing-docs/article-templates/troubleshooting-docs-guide/
I think I'd prefer to either stick this at the end of the Use IAST doc (with each problem statement in a series of collapsers for easy scanning) or have each of these split out into its own troubleshooting doc in a specific Troubleshooting category.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll add it to the main doc, then!
|
||
Confirm that the application has started and then review the application's logs for further information. | ||
|
||
## How do I make sure that the security agent is working? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we restate this as a problem statement instead of a question? (We want to avoid FAQ-style docs on out site and this one is creeping up on that.)
Also, this is pretty generic for a troubleshooting problem statement. Is it not self-evident when the security agent is "working"?
7. The application receives and applies your policies and configuration. | ||
8. You see a first event sent for validation, which means the security agent started successfully. | ||
|
||
## How do I know IAST is working? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment on the previous section. I'd prefer these were written as problem statements, rather than questions.
|
||
If you're not sure why this is happening, share your application's configuration and logs with our support team at [support.newrelic.com](https://support.newrelic.com). | ||
|
||
## I'm facing application stability issues during IAST testing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we provide some guidance on what to look for in that log file and what to do with those errors?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll ask the devs!
metaDescription: Use Vulnerability Management to find exploitable vulnerabilities in your application. | ||
--- | ||
|
||
## I don't see my application in New Relic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you get more specific with this problem statement?
|
||
## I don't see my application in New Relic | ||
|
||
Confirm that the application has started and then review the application's logs for further information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do I confirm that? Where do I find the application's logs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is your own application logs. That will depend on how your application stores logs. I'll make it more obvious that that's what you need to check.
This application instance is now being scanned by New Relic Security under id {{UUID}} | ||
``` | ||
|
||
In the `nr-security-home/logs` directory, search for the file called `java-security-collector-init.log`, replace `java` in the path depending on language you used, and make sure these steps work for you: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth listing all of the languages it could be here? Seems like we could easily provide a list of all of the log file names?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding all the languages could make it more difficult to maintain and I don't see it adding a lot of value. I can make it more generic so it works for all languages that may come in the future.
|
||
In the `nr-security-home/logs` directory, search for the file called `java-security-collector-init.log`, replace `java` in the path depending on language you used, and make sure these steps work for you: | ||
|
||
1. The security agent is starting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do I know?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll see the above message in your app's logs. I'll move that here, since it makes more sense.
In the `nr-security-home/logs` directory, search for the file called `java-security-collector-init.log`, replace `java` in the path depending on language you used, and make sure these steps work for you: | ||
|
||
1. The security agent is starting. | ||
2. It generates a unique identifier. For web socket connection, you'll see Node auth headers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where do I find this unique ID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where will I see the Node auth headers? Is this all self-evident?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll ask the dev about this ID.
5. The security agent threads are started. | ||
6. The application instrumentation is successful. | ||
7. The application receives and applies your policies and configuration. | ||
8. You see a first event sent for validation, which means the security agent started successfully. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For all of these steps, I think we need a little more clarity about where I can verify all of these things. I get the feeling that some things are in an application console and some things are in the New Relic UI, but it's tough for me to split them out without knowing more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is all part of the log file we mention. I asked the dev to give me a sample file so we can have it here and users can see it in context.
|
||
## How do I know IAST is working? | ||
|
||
Currently, IAST shows findings only. Before this feature is publicly available, the New Relic UI will be updated to show progress as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can lose that second sentence. I think it's better not to document things that don't exist yet.
|
||
Currently, IAST shows findings only. Before this feature is publicly available, the New Relic UI will be updated to show progress as well. | ||
|
||
If you have set the `loglevel` to `debug`, you can search for `Fuzz request received` in the `nr-security-home/logs/java-security-collector.log` file. That shows that IAST analysis is in progress. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd flip this: In order to see the IAST analysis in progress, if you've set the loglevel to debug, search for...etc
|
||
If you have set the `loglevel` to `debug`, you can search for `Fuzz request received` in the `nr-security-home/logs/java-security-collector.log` file. That shows that IAST analysis is in progress. | ||
|
||
## I don't see vulnerabilities in New Relic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we first want to make sure they're looking for these in the right place?
|
||
import iastEnableIast from 'images/iast_screenshot-crop_enable-iast.webp' | ||
|
||
<Callout title="PREVIEW"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this still in preview?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to provide some info on what someone can do to sign up to try it out?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it'll be a public preview. Users don't need to do anything, it'll be in the UI when they release it.
src/content/docs/iast/use-iast.mdx
Outdated
This feature is currently in preview. | ||
</Callout> | ||
|
||
When your application has exploitable vulnerabilities, it means that someone could take advantage of a misconfiguration to access sensitive information. To help prevent that from happening, install our interactive applications security testing (IAST) to assist in finding exploitable vulnerabilities. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To help prevent that from happening, install our interactive applications security testing (IAST) to assist in finding exploitable vulnerabilities. -->
To help prevent that, install our interactive applications security testing (IAST).
src/content/docs/iast/use-iast.mdx
Outdated
<Callout variant="important"> | ||
Run IAST with non-production deployments only. | ||
|
||
IAST tests your applications for any exploitable vulnerability by replaying the generated HTTP request with vulnerable payloads. Run IAST only on non-production deployments to avoid exposing vulnerabilities on your production software. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can tighten up the text in this paragraph. (For example, the second sentence here feels like a loose restatement of the first sentence in the callout)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to emphasize the fact that users need to avoid using IAST in prod deployments, but I shifted the content a bit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
No description provided.