• /
  • EnglishEspañol日本語한국어Português
  • 로그인지금 시작하기

IAST billing

It's important for you to know how you'll be billed when you use interactive application security testing (IAST). You're billed for this capability through an optional add-on called Compute Add On. This is the third of the three billing factors at New Relic:

  • The amount of data you ingest
  • The number of billable users you have
  • The optional add-ons you've purchased

Once you have this add-on, New Relic calculates your IAST costs based on the Compute Capacity Units (CCUs) you consume.

Learn about IAST costs

CCUs are consumed when you use the IAST capability to analyze an application for exploitable vulnerabilities. In order to assess the potential vulnerability of your application, attack simulations are used to generate responses from the application.

Each response is analyzed to determine the nature of the behavior. If the behavior is unsafe, the status for the test run will be set to Exploitable. This means that in a production environment, an attacker could use one of these vulnerabilities to exploit your applications, infrastructure, or data. It's important to consider these factors when using IAST to ensure optimal consumed CCUs: the complexity of your application, the efficiency of your testing, and the number of test runs.

Screenshot showing a table of run tests

Go to one.newrelic.com > All capabilities > IAST and click Tests & Applications in the left navigation pane.

Learn how IAST generates CCUs

IAST analyzes applications for exploitable vulnerabilities. It observes the behavior of APIs, method calls, and traces exercised during testing as it analyzes the execution of real-world attack simulations. Each simulation generates a response based on the number of parameters tested. The more APIs and method calls exercised, the higher the number of parameters that will need testing for an accurate risk assessment. The more complex an application is and the higher the efficacy of your test coverage, the more compute capacity units will be consumed for each test run.

Understand your IAST usage and optimize your cost

IAST has governance controls built into the agent configuration to help ensure there is no accidental use of this capability. For example, an authorized user must explicitly enable this capability for each application.

Once you've configured IAST, we provide visibility broken down by account, users, and APIs. As an administrator, you can work across your organization to optimize costs. You can control IAST costs if you check how often IAST runs during testing and what is tested.

There are these 3 primary variables when optimizing cost for IAST:

  • Risk tolerance

  • Test efficiency

  • Test runs or builds

Risk tolerance

We recommend running IAST on all important apps with each build to reduce risks. Full test coverage reduces the need for fixing issues after release. Risk tolerance differs by organization, affecting security testing methods. Here's an example of IAST results for an app build.

IAST results for an app build

Go to one.newrelic.com > All capabilities > IAST and click Tests & Applications on the left navigation pane. Select an application to see its details.

Test efficiency

Test efficiency is an estimation of your test coverage and contributes to the CCUs consumed for analysis. You can view the APIs, methods, and traces executed and analyzed during each run based on your test cases.

IAST test efficiency

Go to one.newrelic.com > All capabilities > IAST and click Tests & Applications on the left navigation pane. Select an application to see its details and select the APIs tab.

The higher your testing efficiency, the more coverage you have which can result in higher CCU consumption. You can control cost by deciding what you test. If you have specific concerns, make sure that you run test cases either manually or automatically. Use the necessary APIs or method calls to allow IAST to analyze them. You can reduce the cost by choosing not to exercise a specific API or method call, but note this could introduce more risk.

Test runs or builds

You can think of test runs as deploying an application build to a staging, QA, integration testing, etc. environment. Each time an image restarts, a new unique IAST test run also starts.

  • With each run, you are able to review your coverage to better understand the amount of analysis IAST did to assess the application.

  • You can see the number of APIs, methods, and traces analyzed as well as the assessment for each.

Each test run will consume CCUs depending on the analysis effort and application complexity. You can manage which applications use IAST and how often you run it by turning IAST on and off in the APM settings. This gives you control over your IAST usage.

  • IAST analysis is on when security.enabled and security.agent.enabled are set to true.

  • IAST analysis is off and will subsequently not consume CCU when security.enabled and security.agent.enabled are set to false.

See your IAST usage

You can view costs broken out by feature and drill into IAST usage in account administration. We provide you the ability to see daily usage and 30-day rolling usage. Also, we break this down to attribute usage to specific accounts or users and APIs. You can check your IAST CCU consumption from one.newrelic.com.

IAST - Compute management

Go to one.newrelic.com > (user menu) > Administration and click Compute Management in the left navigation pane.

When you select IAST and then facet by Accounts or Users/API Keys you can track usage more granularly.

IAST - Compute management

Go to one.newrelic.com > (user menu) > Administration and click Compute Management in the left navigation pane. Facet by Users/APIS Keys.

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.