You can monitor application security for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Prerequisites

• The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.
• If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, you can block attackers from the Datadog UI without additional configuration of the Agent or tracing libraries.

Enabling Application & API Protection

Get started

1. Update your Datadog Node.js library package to at least version 5.0.0 (for Node 18+) or 4.0.0 (for Node 16+) or 3.10.0 (for Node.js 14+), by running one of these commands:

   npm install dd-trace@^5
   npm install dd-trace@^4
   npm install dd-trace@^3.10.0
   

   Use this migration guide to assess any breaking changes if you upgraded your library.

   App & API Protection is compatible with Express v4+ and Node.js v14+. For additional information, see Compatibility.

2. Where you import and initialize the Node.js library for APM, also enable Application & API Protection. This might be either in your code or with environment variables. If you initialized APM in code, add {appsec: true} to your init statement:

   // This line must come before importing any instrumented module.
   const tracer = require('dd-trace').init({
     appsec: true,
     tracing: false // To disable APM tracing and use security features only
   })
   

   For TypeScript and bundlers that support EcmaScript Module syntax, initialize the tracer in a separate file in order to maintain correct load order.

   // server.ts
   import './tracer'; // must come before importing any instrumented module.
   
   // tracer.ts
   import tracer from 'dd-trace';
   tracer.init({
     appsec: true,
     tracing: false // To disable APM tracing and use security features only
   }); // initialized in a different file to avoid hoisting.
   export default tracer;
   

   If the default config is sufficient, or all configuration is done through environment variables, you can also use dd-trace/init, which loads and initializes in one step.

   import `dd-trace/init`;
   

   Or if you initialize the APM library on the command line using the --require option to Node.js:

   node --require dd-trace/init app.js
   

   Then use environment variables to enable Application & API Protection:

   DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false node app.js
   

   How you do this varies depending on where your service runs:

   Update your configuration container for APM by adding the following arguments in your docker run command:

   docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...]
   

   Add the following environment variable values to your container Dockerfile:

   ENV DD_APPSEC_ENABLED=true
   ENV DD_APM_TRACING_ENABLED=false
   

   Update your configuration yaml file container for APM and add the Application & API Protection env variables:

   spec:
     template:
       spec:
         containers:
           - name: <CONTAINER_NAME>
             image: <CONTAINER_IMAGE>/<TAG>
             env:
               - name: DD_APPSEC_ENABLED
                 value: "true"
               - name: DD_APM_TRACING_ENABLED
                 value: "false"
   

   Update your ECS task definition JSON file, by adding these in the environment section:

   "environment": [
     ...,
     {
       "name": "DD_APPSEC_ENABLED",
       "value": "true"
     },
     {
       "name": "DD_APM_TRACING_ENABLED",
       "value": "false"
     }
   ]
   

   Initialize Application & API Protection in your code or set environment variables in your service invocation:

   DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false node app.js
   

   この構成が完了すると、ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。

3. Application Security Management の脅威検出の動作を見るには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。

   for ((i=1;i<=250;i++)); 
   do
   # Target existing service’s routes
   curl https://your-application-url/existing-route -A dd-test-scanner-log;
   # Target non existing service’s routes
   curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
   done

   注: dd-test-scanner-log の値は、最新のリリースでサポートされています。

   アプリケーションを有効にして実行すると、数分後に Application Signals Explorer に脅威情報が表示され、Vulnerability Explorer に脆弱性情報が表示されます**。

If you need additional assistance, contact Datadog support.

Further Reading

お役に立つドキュメント、リンクや記事:

Adding user information to tracesDOCUMENTATION Node.js Datadog library source codeSOURCE CODE OOTB App & API Protection RulesDOCUMENTATION Troubleshooting App & API ProtectionDOCUMENTATION