You can configure your IAST to handle scan scheduling. These configurations allow you to exclude certain APIs, parameters, and vulnerability categories from IAST analysis. You can also delay IAST scans or schedule them for specific times of the day.
Scheduling IAST scans
You can start and stop your scheduled IAST scans using 2 variables. These variables allow you to set specific times for the IAST scan or add a delay to the IAST scan start time from the application.
Configure your scheduled IAST scans
Open the newrelic.yml
configuration file to set the scan_schedule
parameters.
security: scan_schedule: delay: 0 #In minutes, default is 0 min duration: 0 #In minutes, default is forever schedule: "" #Cron Expression to define start time always_sample_traces: false #regardless of scan schedule
Examples
Exclude from IAST scan
The exclude from IAST scan setting allows you to exclude specific APIs, vulnerability categories, and parameters from IAST analysis. This is useful in situations where certain components of the application are known to be secure, or where IAST scanning of certain APIs could result in application malfunction, such as login throttling.
To configure IAST scan exclusion, open the newrelic.yml
configuration file to set the exclude_from_iast_scan
parameter.
security: exclude_from_iast_scan: api: [] http_request_parameters: header: [] query: [] body: [] iast_detection_category: insecure_settings: false invalid_file_access: false sql_injection: false nosql_injection: false ldap_injection: false javascript_injection: false command_injection: false xpath_injection: false ssrf: false rxss: false
Exclude API
You can ignore specific APIs from IAST analysis by adding them to the API section of the newrelic.yml
configuration file. You can specify APIs using regular expression (regex) patterns that follow the syntax of Perl 5. The regex pattern should provide a full match for the URL without the endpoint.
This is the format for specifying APIs:
exclude_from_iast_scan: api: - .*account.* - .*/\api\/v1\/.*?\/login
For example:
.*account.*
matches APIs with URLs likehttp://localhost:80/api/v1/account/login
.*/\api\/v1\/.*?\/login
matches APIs with URLs likehttp://localhost:80/api/v1/{'{account_id}'}/login
Exclude http_request_parameters
You can ignore specific HTTP request parameters from IAST analysis by adding them to the http_request_parameters
section of the newrelic.yml
configuration file.
Exclude iast_detection_category
The iast_detection_category
setting allows users to specify categories of vulnerabilities for which IAST analysis will be applied or ignored. If one of these categories is set to true
, the IAST security agent will not generate events or flag vulnerabilities for that category.
See this example to skip scanning for SQL Injection and SSRF. The sql_injection
and ssrf
parameters are set to true
:
exclude_from_iast_scan: iast_detection_category: insecure_settings: false invalid_file_access: false sql_injection: true nosql_injection: false ldap_injection: false javascript_injection: false command_injection: false xpath_injection: false ssrf: true rxss: false
Tip
The iast_detection_category
will be prioritized over detection config present in security section.
You can use this combined configuration:
security: enabled: true scan_schedule: delay: 0 #In minutes, default is 0 min duration: 0 #In minutes, default will be forever #schedule: "" #Cron Expression to define start time always_sample_traces: false #continuously collect samples exclude_from_iast_scan: api: [] http_request_parameters: header: [] query: [] body: [] iast_detection_category: insecure_settings: false invalid_file_access: false sql_injection: false nosql_injection: false ldap_injection: false javascript_injection: false command_injection: false xpath_injection: false ssrf: false rxss: false agent: enabled: true
IAST scan controllers
IAST scan rate limit
IAST scan rate limit settings limit the maximum number of analysis probes or requests that can be sent to the application in one minute. The default IAST scan rate limit is set to a minimum of 12 replay requests per minute and a maximum of 3,600 replay requests per minute.