• EnglishEspañol日本語한국어Português
  • Log inStart now

IAST configuration

You can configure your IAST to handle scan scheduling. These configurations allow you to exclude certain APIs, parameters, and vulnerability categories from IAST analysis. You can also delay IAST scans or schedule them for specific times of the day.

Scheduling IAST scans

You can start and stop your scheduled IAST scans using 2 variables. These variables allow you to set specific times for the IAST scan or add a delay to the IAST scan start time from the application.

Configure your scheduled IAST scans

Open the newrelic.yml configuration file to set the scan_schedule parameters.

security:
scan_schedule:
delay: 0 #In minutes, default is 0 min
duration: 0 #In minutes, default is forever
schedule: "" #Cron Expression to define start time
always_sample_traces: false #regardless of scan schedule

Examples

Exclude from IAST scan

The exclude from IAST scan setting allows you to exclude specific APIs, vulnerability categories, and parameters from IAST analysis. This is useful in situations where certain components of the application are known to be secure, or where IAST scanning of certain APIs could result in application malfunction, such as login throttling.

To configure IAST scan exclusion, open the newrelic.yml configuration file to set the exclude_from_iast_scan parameter.

security:
exclude_from_iast_scan:
api: []
http_request_parameters:
header: []
query: []
body: []
iast_detection_category:
insecure_settings: false
invalid_file_access: false
sql_injection: false
nosql_injection: false
ldap_injection: false
javascript_injection: false
command_injection: false
xpath_injection: false
ssrf: false
rxss: false

Exclude API

You can ignore specific APIs from IAST analysis by adding them to the API section of the newrelic.yml configuration file. You can specify APIs using regular expression (regex) patterns that follow the syntax of Perl 5. The regex pattern should provide a full match for the URL without the endpoint.

This is the format for specifying APIs:

exclude_from_iast_scan:
api:
- .*account.*
- .*/\api\/v1\/.*?\/login

For example:

  • .*account.* matches APIs with URLs like http://localhost:80/api/v1/account/login

  • .*/\api\/v1\/.*?\/login matches APIs with URLs like http://localhost:80/api/v1/{'{account_id}'}/login

Exclude http_request_parameters

You can ignore specific HTTP request parameters from IAST analysis by adding them to the http_request_parameters section of the newrelic.yml configuration file.

Exclude iast_detection_category

The iast_detection_category setting allows users to specify categories of vulnerabilities for which IAST analysis will be applied or ignored. If one of these categories is set to true, the IAST security agent will not generate events or flag vulnerabilities for that category.

See this example to skip scanning for SQL Injection and SSRF. The sql_injection and ssrf parameters are set to true:

exclude_from_iast_scan:
iast_detection_category:
insecure_settings: false
invalid_file_access: false
sql_injection: true
nosql_injection: false
ldap_injection: false
javascript_injection: false
command_injection: false
xpath_injection: false
ssrf: true
rxss: false

Tip

The iast_detection_category will be prioritized over detection config present in security section.

You can use this combined configuration:

security:
enabled: true
scan_schedule:
delay: 0 #In minutes, default is 0 min
duration: 0 #In minutes, default will be forever
#schedule: "" #Cron Expression to define start time
always_sample_traces: false #continuously collect samples
exclude_from_iast_scan:
api: []
http_request_parameters:
header: []
query: []
body: []
iast_detection_category:
insecure_settings: false
invalid_file_access: false
sql_injection: false
nosql_injection: false
ldap_injection: false
javascript_injection: false
command_injection: false
xpath_injection: false
ssrf: false
rxss: false
agent:
enabled: true

IAST scan controllers

IAST scan rate limit

IAST scan rate limit settings limit the maximum number of analysis probes or requests that can be sent to the application in one minute. The default IAST scan rate limit is set to a minimum of 12 replay requests per minute and a maximum of 3,600 replay requests per minute.

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.