feat(iast): new doc & imgs #13189
feat(iast): new doc & imgs #13189
Conversation
x8a
added
content
|
Hi @x8a 👋 Thanks for your pull request! Your PR is in a queue, and a writer will take a look soon. We generally publish small edits within one business day, and larger edits within three days. Gatsby Cloud will automatically generate a preview of your request, and will comment with a link when the preview is ready (usually 20 to 30 minutes). |
✅ docs-website-develop deploy preview ready
|
| - Troubleshooting | ||
| metaDescription: Use Vulnerability Management to find exploitable vulnerabilities in your application. | ||
| --- | ||
|
|
There was a problem hiding this comment.
I'd add here an introduction about the page
There was a problem hiding this comment.
Yes! I'm waiting on the PM to send me some content for the intro 🙌🏻.
src/nav/root.yml
Outdated
| @@ -55,6 +55,8 @@ pages: | |||
| path: integrations | |||
| - title: Vulnerability Management | |||
| path: vuln-management | |||
| - title: Interactive applications security testing (IAST) | |||
There was a problem hiding this comment.
Please move this top level IAST category so it's alphabetical in the nav, between Errors inbox and Open-source integrations.
Also, can we get away with just having it be IAST in the left nav?
| @@ -0,0 +1,51 @@ | |||
| --- | |||
| title: Troubleshooting for interactive applications security testing (IAST) | |||
There was a problem hiding this comment.
This doc feels weird as a standalone thing. It doesn't quite much our troubleshooting doc guidelines: https://docs.newrelic.com/docs/style-guide/writing-docs/article-templates/troubleshooting-docs-guide/
I think I'd prefer to either stick this at the end of the Use IAST doc (with each problem statement in a series of collapsers for easy scanning) or have each of these split out into its own troubleshooting doc in a specific Troubleshooting category.
There was a problem hiding this comment.
I'll add it to the main doc, then!
|
|
||
| Confirm that the application has started and then review the application's logs for further information. | ||
|
|
||
| ## How do I make sure that the security agent is working? |
There was a problem hiding this comment.
Can we restate this as a problem statement instead of a question? (We want to avoid FAQ-style docs on out site and this one is creeping up on that.)
Also, this is pretty generic for a troubleshooting problem statement. Is it not self-evident when the security agent is "working"?
| 7. The application receives and applies your policies and configuration. | ||
| 8. You see a first event sent for validation, which means the security agent started successfully. | ||
|
|
||
| ## How do I know IAST is working? |
There was a problem hiding this comment.
See comment on the previous section. I'd prefer these were written as problem statements, rather than questions.
|
|
||
| If you're not sure why this is happening, share your application's configuration and logs with our support team at [support.newrelic.com](https://support.newrelic.com). | ||
|
|
||
| ## I'm facing application stability issues during IAST testing |
There was a problem hiding this comment.
Can we provide some guidance on what to look for in that log file and what to do with those errors?
| metaDescription: Use Vulnerability Management to find exploitable vulnerabilities in your application. | ||
| --- | ||
|
|
||
| ## I don't see my application in New Relic |
There was a problem hiding this comment.
Can you get more specific with this problem statement?
|
|
||
| ## I don't see my application in New Relic | ||
|
|
||
| Confirm that the application has started and then review the application's logs for further information. |
There was a problem hiding this comment.
How do I confirm that? Where do I find the application's logs?
There was a problem hiding this comment.
This is your own application logs. That will depend on how your application stores logs. I'll make it more obvious that that's what you need to check.
| This application instance is now being scanned by New Relic Security under id {{UUID}} | ||
| ``` | ||
|
|
||
| In the `nr-security-home/logs` directory, search for the file called `java-security-collector-init.log`, replace `java` in the path depending on language you used, and make sure these steps work for you: |
There was a problem hiding this comment.
Is it worth listing all of the languages it could be here? Seems like we could easily provide a list of all of the log file names?
There was a problem hiding this comment.
Adding all the languages could make it more difficult to maintain and I don't see it adding a lot of value. I can make it more generic so it works for all languages that may come in the future.
|
|
||
| In the `nr-security-home/logs` directory, search for the file called `java-security-collector-init.log`, replace `java` in the path depending on language you used, and make sure these steps work for you: | ||
|
|
||
| 1. The security agent is starting. |
There was a problem hiding this comment.
You'll see the above message in your app's logs. I'll move that here, since it makes more sense.
| In the `nr-security-home/logs` directory, search for the file called `java-security-collector-init.log`, replace `java` in the path depending on language you used, and make sure these steps work for you: | ||
|
|
||
| 1. The security agent is starting. | ||
| 2. It generates a unique identifier. For web socket connection, you'll see Node auth headers. |
There was a problem hiding this comment.
Where do I find this unique ID?
There was a problem hiding this comment.
Where will I see the Node auth headers? Is this all self-evident?
There was a problem hiding this comment.
I'll ask the dev about this ID.
| 5. The security agent threads are started. | ||
| 6. The application instrumentation is successful. | ||
| 7. The application receives and applies your policies and configuration. | ||
| 8. You see a first event sent for validation, which means the security agent started successfully. |
There was a problem hiding this comment.
For all of these steps, I think we need a little more clarity about where I can verify all of these things. I get the feeling that some things are in an application console and some things are in the New Relic UI, but it's tough for me to split them out without knowing more.
There was a problem hiding this comment.
This is all part of the log file we mention. I asked the dev to give me a sample file so we can have it here and users can see it in context.
|
|
||
| ## How do I know IAST is working? | ||
|
|
||
| Currently, IAST shows findings only. Before this feature is publicly available, the New Relic UI will be updated to show progress as well. |
There was a problem hiding this comment.
I think we can lose that second sentence. I think it's better not to document things that don't exist yet.
|
|
||
| Currently, IAST shows findings only. Before this feature is publicly available, the New Relic UI will be updated to show progress as well. | ||
|
|
||
| If you have set the `loglevel` to `debug`, you can search for `Fuzz request received` in the `nr-security-home/logs/java-security-collector.log` file. That shows that IAST analysis is in progress. |
There was a problem hiding this comment.
I'd flip this: In order to see the IAST analysis in progress, if you've set the loglevel to debug, search for...etc
|
|
||
| If you have set the `loglevel` to `debug`, you can search for `Fuzz request received` in the `nr-security-home/logs/java-security-collector.log` file. That shows that IAST analysis is in progress. | ||
|
|
||
| ## I don't see vulnerabilities in New Relic |
There was a problem hiding this comment.
Do we first want to make sure they're looking for these in the right place?
|
|
||
| import iastEnableIast from 'images/iast_screenshot-crop_enable-iast.webp' | ||
|
|
||
| <Callout title="PREVIEW"> |
There was a problem hiding this comment.
Is this still in preview?
There was a problem hiding this comment.
Do we want to provide some info on what someone can do to sign up to try it out?
There was a problem hiding this comment.
Yes, it'll be a public preview. Users don't need to do anything, it'll be in the UI when they release it.
src/content/docs/iast/use-iast.mdx
Outdated
| This feature is currently in preview. | ||
| </Callout> | ||
|
|
||
| When your application has exploitable vulnerabilities, it means that someone could take advantage of a misconfiguration to access sensitive information. To help prevent that from happening, install our interactive applications security testing (IAST) to assist in finding exploitable vulnerabilities. |
There was a problem hiding this comment.
To help prevent that from happening, install our interactive applications security testing (IAST) to assist in finding exploitable vulnerabilities. -->
To help prevent that, install our interactive applications security testing (IAST).
src/content/docs/iast/use-iast.mdx
Outdated
| <Callout variant="important"> | ||
| Run IAST with non-production deployments only. | ||
|
|
||
| IAST tests your applications for any exploitable vulnerability by replaying the generated HTTP request with vulnerable payloads. Run IAST only on non-production deployments to avoid exposing vulnerabilities on your production software. |
There was a problem hiding this comment.
I think you can tighten up the text in this paragraph. (For example, the second sentence here feels like a loose restatement of the first sentence in the callout)
There was a problem hiding this comment.
I wanted to emphasize the fact that users need to avoid using IAST in prod deployments, but I shifted the content a bit.
No description provided.