Deploying a .NET IAST agent

You can deploy an IAST agent on the application server that supports Java, .NET, Node.js or PHP based applications. This section explains how to create a .NET agent type on your web server.

Before you begin

If the server running IAST is behind a proxy, the IAST .NET agent supports two ways to configure an outbound HTTP proxy:
  1. System proxy settings, which are automatically detected from standard OS settings or the HTTP_PROXY, HTTPS_PROXY environment variables.
  2. IAST-specific proxy settings, defined with the application’s own environment variables. Configure them as follows:
    IAST_PROXY_HOST={proxy_ip}
IAST_Deploy_dot_net.html

If the application-specific variables are set, they take precedence; otherwise, the system proxy is used. If neither is defined, the application connects directly. Proxy settings are read at startup; changes require a restart. Check the IAST log to verify that the proxy is configured correctly.

About this task

Use the NuGet Package Manager to add the IAST agent to your application. The example below applies to Visual Studio, but the procedure is similar for other IDEs.

Procedure

  1. Configure NuGet Package Source:
    1. Open Visual Studio and navigate to Menu > Tools > Options > NuGet Package Manager > Package Source.
    2. Select the folder containing the SecAgent package.
    3. Click the + sign and give the new source a name.
  2. Identify Web Server Projects: The IAST Agent must only be installed on your web server projects that are typically responsible for serving web content (for example, ASP.NET Core or ASP.NET MVC projects). Identify these projects by looking for files such as Startup.cs, Controllers, or wwwroot folders.
  3. Install the IAST Agent NuGet: In the Solution Explorer, right-click on the web server project and select Manage NuGet Packages. Search for com.HCL.AppScan.IAST.agent and select the first package in the results. Click Install. Repeat this step for each web server project in your solution.
  4. Set Environment Variable (for .NET Core only):If you're using .NET Core, set the following environment variable: 
    "ASPNETCORE_HOSTINGSTARTUPASSEMBLIES": "SecagentCore"
  5. Verify Installation: Verify that the installation was successful.
    1. For .NET Framework: Open the web.config file and ensure the following lines are added by the nuget installation. If these lines are not added automatically, it indicates that the installation was unsuccessful: 
      <system.webServer>
                            <modules>
                              <add name="SecagentModule" type="Secagent.SecagentModule" preCondition="managedHandler" />
                            </modules>
                          </system.webServer>
                        ...
                          <appSettings>
                            <add key="IASTAgentKey" value="<token to access ASoC IAST session>" />
                            <add key="IASTHost" value="URL to ASoC host, e.g. /https://cloud.appscan.com/IAST/" />
                            <add key="IASTActive" value="true" />
                          </appSettings>
    2. For .NET Core: Ensure that an asoc-config.json file was added to the root folder of your project.

Results

The IAST agent will monitor requests and report security issues as you use or test your application (run functional tests, run a Dynamic Scan, or explore the app manually).