This is the first step in diagnosing your New Relic IAST problem yourself, use this guide to resolve issues quickly.
If you don't find your problem listed here, you can always reach out to New Relic Support.
Go to one.newrelic.com > All capabilities > IAST > Tests. Click on an application to check the application testing efficiency, vulnerabilities, APIs covered, and methods calls, amongst other data.
IAST requires restarting the application after it's enabled.
If this is a new app, firewalls could be preventing it from communicating with the NR platform. Check the service stats section in the file with the latest timestamp in nr-security-home/logs/snapshots
. All 6 items in that list should say OK. If they don't, review the logs for additional info or reach out to New Relic Support. You can also see the standard firewall documentation.
If you can see your application in the New Relic UI and the security agent successfully started IAST, but you don't see vulnerabilities in the UI, check the following:
The level of efficiency for your application: Go to one.newrelic.com > All capabilities > IAST > Tests. Search for your application and check the summary section. If IAST coverage is low for your application, add additional test cases to your application to get a higher level of testing efficiency.
The IAST coverage: Go to one.newrelic.com > All capabilities > IAST > Tests. Search for your application and click on it. Under the summary section, check if IAST analysis coverage is high and no vulnerabilities are detected, that means your application is secure.
Your application's framework or vulnerability category is not supported.
If after checking these, you're still not seeing vulnerabilities in IAST, please, contact New Relic Support.
If you don't see your application in one.newrelic.com > All capabilities > IAST > Tests, check the following:
- Your application is up and running: Check the application process or the APM & Services page.
- The application's logs to find out if there's a problem.
- The version of your APM agent and udpate it if needed.
- The
newrelic.yml
config file includes the modification of the parameters as indicated on the install page. - Go to the
nr-security-home/logs
directory and find the[SETP-8]
line in theLANGUAGE-security-collector-init.log
file. Check if there is an unexpected error and know what failed. - The application has traffic. Generate some traffic to allow IAST to test your application.
- Proxy or Firewall blocking access. Whitelist the following IPs
3.134.136.130, 18.219.177.104, 18.117.21.106
for the domain csec.nr-data.net, the following IPs3.130.22.102, 3.138.243.136, 3.139.218.150
for the domain csec-gov.nr-data.net and the following IPs18.185.235.118, 3.125.193.113, 3.75.166.122
for the domain csec.eu01.nr-data.net. But our recommendation is to add domains in the whitelist instead of the IPs as these IPs are bound to change anytime. - The TLS Certificate is correct. Add Let's Encrypt CA certificate (download from Let's Encrypt Certificates) to your local trust store. Include both the root certificates and the intermediate ones (ISRG Root X1 & Let's Encrypt R3) to establish the complete chain of trust.
- Your application's framework or vulnerability category is supported.
Importante
If you're using APM's high security mode, the agent won't work.
To disable it, you need to contact New Relic Support.
When the security agent is working correctly:
You see your application in one.newrelic.com > All capabilities > IAST > Tests. The application is started and there is traffic generated.
In the
nr-security-home/logs
directory, search for theLANGUAGE-security-collector-init.log
file. ReplaceLANGUAGE
in the filename with the one you are using. Search for these steps to see where the problem is:- [STEP-1]: The security agent is starting.
- [STEP-2]: The security agent generates a unique identifier. For web socket connection, you'll see Node auth headers.
- [STEP-3]: The security agent gathers information about your application.
- [STEP-4]: The web socket connection to SaaS validator is established successfully.
- [STEP-5]: The security agent threads started.
- [STEP-6]: The application instrumentation is successful.
- [STEP-7]: The application receives and applies your policies and configuration.
- [STEP-8]: You see a first event sent for validation, which means the security agent started successfully.
Here's an excerpt of a security agent log file
LANGUAGE-security-collector-init.log
:Init Log File initiated.Init Logger configured successfully with level: INFO and rollover on max size 52428800.2023-05-26 10:45:02 : [8] [New Relic RPM Connection Service] INFO : com.newrelic.api.agent.security.Agent - [STEP-1] => Security agent is starting2023-05-26 10:45:02 : [8] [New Relic RPM Connection Service] INFO : com.newrelic.agent.security.AgentInfo - [STEP-2] => Generating unique identifier: 8a6d79c3-ad67-35d6-b811-17f7515b7f292023-05-26 10:45:02 : [8] [New Relic RPM Connection Service] INFO : com.newrelic.api.agent.security.Agent - [STEP-3] => Gathering information about the application
You can check if IAST is working, even if you're seeing your application in the IAST UI and the security agent started successfully. Follow these steps for checking it:
Go to one.newrelic.com > All capabilities > IAST > Tests.
Search for your application in the Application tests tab and click on it.
View the details of the test including APIs covered, methods calls, and application testing efficiency.
Also, if you set the log level to debug/finest, you can search for Fuzz request received in the
nr-security-home/logs/java-security-collector.log
file. This shows that the IAST analysis is in progress.
IAST starts testing when detects that there is traffic, so check if your application works out or has any traffic directed at it. Perform the app's UI or API endpoints.
These can be the reasons if IAST doesn't detect known vulnerabilities:
IAST doesn't support application framework.
There is no instrumentation for the module.
Your application may show high traffic and latency for some time as part of IAST. This should resolve in a few minutes when it finishes the IAST test.
You can also check the snapshot log file in the nr-security-home/logs/snapshots
folder. The log file shows you the status of the security agent, resource usage, and the last five errors.
If your application has the functionality to create files and directories as part of serving an HTTP request, IAST will try to test the code path and hence, create such files and directories. The application code, under the influence of incoming HTTP requests, creates these files. The agent can't deleted them.
If you're sure that none of your APIs can create files and directories, share your application's configuration and logs with New Relic Support.
As a part of IAST, the security agent sends new requests to the application that increases the load, resulting in an increase of resource utilization. This IAST analysis can also expose uncaught errors or exceptions in your application.
If the application has crashed due to lack of resources, increase the resources, restart the application, and perform IAST again.
You can update the appId
in the below query and run it in the query builder to find all the vulnerabilities reported for your application.
SELECT * FROM Vulnerability WHERE issueType = 'Application Vulnerability' AND appId = YOU_APPLICATION_ID
Update the status of your vulnerability if you think IAST has reported a false positive. Follow these steps:
Search your application: Go to one.newrelic.com > All capabilities > IAST > Tests.
Click on the all applications tab and select the vulnerability that is not an actual vulnerability.
Under the vulnerability details section, you can update the vulnerability status for the reported vulnerability. You can update its status to:
- False positive
- Resolved
- Unresolved
If you want to list out the vulnerabilities for which you updated the status, you can apply the filter in the detected exploitable vulnerabilities list.
For Golang, make sure that you imported the required instrumentation packages for the libraries and frameworks that your application uses.
For instance, let's suppose that your application is using libraries for Mongo DB. For this specific library, you need to import this instrumentation package from newrelic:
import ("github.com/newrelic/go-agent/v3/integrations/nrsecurityagent""github.com/newrelic/go-agent/v3/newrelic""github.com/newrelic/csec-go-agent/instrumentation/csec_mongodb_mongo""go.mongodb.org/mongo-driver/mongo")Depending on you application requierement, there're other packages that you may need to import. Check here the list of supported packages.
Make sure you imported the corresponding package for each module.
If you're opening an HTTP protocol endpoint, place the
newrelic.WrapListen
function around the endpoint name to enable vulnerability scanning against that endpoint:http.ListenAndServe(newrelic.WrapListen(":YOUR_PORT_NUMBER"), nil)Importante
You can skip this step if you're on a Linux environment.
For a specific case of Outbound HTTP Request or calls to external services, you need to update your application method.
IAST is supported for the Windows environment. However, for some Java application, you may face classCirculatoryError
and need to disable low priority instrumentation in the agent configuration as follows:
Disable low-priority-instrumentation from security config:
low-priority-instrumentation:enabled: falseExclude low-priority-instrumentation class from the class transformer. To do this, add the given lines in the
class_transformer
section of the config file:com.newrelic.instrumentation.security.low-priority-instrumentation:enabled: false
No, we don't have any APIs to download IAST findings.
IAST sends new requests to the application based on what it observes during testing. The goal is to determine if malicious behaviors are possible which involves invoking additional API and method calls using an exploit payload. This can result in undesirable manipulation of customer data and triggering of runtime protection services.