Deploying an IAST agent on Azure App Service

Use the IAST agent to monitor applications that run on Azure App Service.

Deploying a .NET Core IAST agent using the HCL AppScan IAST .NET Core site extension

About this task

The HCL AppScan IAST .NET Core Site Extension installs the Interactive Application Security Testing (IAST) agent into your .NET Core app on Azure App Service. After you enable the agent, it monitors the app at runtime and reports detected vulnerabilities to ASoC.
Note: The HCL AppScan IAST .NET Core site extension is applicable to .NET Core applications running on Windows.

Procedure

  1. Adding the HCL AppScan IAST .NET Core Site Extension:
    1. In the Azure portal, open your App Service.
    2. Go to Development Tools > Extensions.
    3. Click + Add. A list of available extensions is displayed.
    4. Select IAST .NET Core Site Extension for Azure App Service.

      Image showing the sequence to add the extension.

    5. Click Add. The extension is installed automatically.
  2. Configuring the site extension:
    1. Select Settings > Environment variables.
    2. Click Add, and then add the following environment variables:
      Name Example Description
      IAST_ACCESS_TOKEN (your access token) Authenticates the agent with ASoC.
      IAST_HOST https://cloud.appscan.com/IAST The ASoC host URL that the agent connects to.

      Image showing how to add environment variables

    3. Click Save to apply the changes.
    4. Restart the App Service to enable the agent.
  3. Verification: After the restart, the agent starts automatically.
    1. In ASoC: Open your application and confirm an active IAST connection.
    2. In Azure: Check the log stream for IAST agent startup and connection messages.

Deploying a .NET IAST agent on Azure

About this task

Use the NuGet Package Manager to add the IAST agent to your application before deploying to Azure App Services. The steps below deploy through Visual Studio, but the procedure is similar for other IDEs.
Note: This method is applicable to .NET Framework and .NET Core applications.

Procedure

  1. Start a .NET IAST session and download the agent NuGet as described here.
  2. Open Visual Studio and select Menu > Tools > Options > NuGet Package Manager > Package Source.
  3. Select the folder containing the IAST agent NuGet.
  4. Click the + sign to add a new NuGet source, and then give it a name.
  5. In the Solution Explorer, right-click the project that you want IAST to monitor and select Manage NuGet Packages.
  6. In the Search field, type com.HCL.AppScan.IAST.agent and select the first package listed in the results.
  7. Click Install.
  8. .NET Core only: Configuration in the Azure environment.

    Set the environment variable with these steps:

    1. In the Azure portal, go to Settings > Environment variables.
    2. Add the following environment variable:
      Name Value
      ASPNETCORE_HOSTINGSTARTUPASSEMBLIES SecagentCore
    3. Click Save to apply the changes.
    4. Restart the App Service to enable the agent.
  9. Deploy your application to Azure App Services.
  10. Verification: The agent is now installed.

    In ASoC: Open your application and confirm an active IAST connection.

    In Azure: Check the log stream for IAST agent startup and connection messages.

    As you use or test your application (run functional tests, run a DAST scan, or explore the application manually), the IAST agent monitors requests as they are sent, and reports on security issues it finds.

Deploying a Node.js IAST agent on Azure

Procedure

  1. If you have not yet done so, create an application for your scans.
  2. In the Application view, click Create Scan to open the wizard, then select Interactive (IAST).
  3. Select Node.js and click Generate key. This generates a unique key that connects your application with the IAST session in ASoC. Save this key for later.
  4. In your workspace, install the IAST agent from npm with the command: 
    npm install --save @hclsoftware/secagent
    This adds @hclsoftware/secagent to the dependencies in the package.json file of your application:
  5. By default, Azure App Services use the start script in your package.json as the run command. Edit the start script to set the agent key from step three above as an environment variable and to run the IAST agent from step four as a required package.
    For example, if the original command was:Edit it to this:
  6. Configuring the site extension: Select Settings > Environment variables.
  7. Add the following environment variables, using the value saved in step #3:
    Name Example Description
    IAST_ACCESS_TOKEN (your access token) Authenticates the agent with ASoC.
    IAST_HOST https://cloud.appscan.com/IAST The ASoC host URL that the agent connects to.

    Image showing how to add environment variables

  8. Click Save to apply the changes.
  9. Restart the App Service to enable the agent.
  10. Deploy your application to Azure App Services.
  11. Verification: After the restart, the agent starts automatically.
    1. In ASoC: Open your application and confirm an active IAST connection.
    2. In Azure: Check Log stream for IAST agent startup and connection messages.
    agent installed verification

    As you use or test your application (run functional tests, run a DAST scan, or explore the application manually), the IAST agent monitors requests as they are sent, and reports on security issues it finds.