DevSecOps, also known as Continuous Application Security, is vastly different from legacy application security programs. This approach essentially requires embedding security practices across the SDLC, rather than running them as a deployment gate or as a purely post-deployment monitoring mechanism.
Such integration of security across the SDLC is made possible by incorporating security tools. Traditionally, these tools have been classified into SAST (Static Application Security Testing) tools or DAST (Dynamic Application Security Testing) tools. However, the emergence of IAST (Interactive Application Security Testing), has challenged the market dominance of SAST and DAST by bringing benefits of DAST and SAST tools in one package and improving on some of their individual drawbacks. In this article, I aim to illustrate how an IAST solution varies from SAST and DAST tools for anyone evaluating application security tools.
DevSecOps and every product team’s security objective
Establishing a toolchain for testing applications is the right step towards automating AppSec processes and as a result, accelerating the application security program. Different tools bring different strengths, so it is important to understand which security tool would work best for each team.
Let’s first understand today’s typical DevSecOps implementation and learn its shortcomings. Most frequently, SAST (Static Application Security Testing) tools kick-off, as developers start committing code into a source repository. SCA tools (Source Composition Analysis) then follow as dependencies get analyzed and built as part of the build management process. Most teams additionally run DAST (Dynamic Application Security Testing) tools once the application’s build is deployed in a QA or staging environment.
Let’s now review the IAST technology, the most modern AST, and compare it against SASTs and DASTs.
IAST brings value from coding to release
While SAST solutions have traditionally been designed to help secure the development phase and DAST is performed post-development, IAST solutions work as a continuous security check throughout the entire SDLC (Software Development Life Cycle). IAST uses an agent, that is placed within the application server, to perform its assessment from coding to release.
QA teams often perform the final check before a product is put into production. They, therefore, need security tools that are easy to use and throw out fewer false positives. IAST solutions do both.
The needs of production are slightly different. Teams that manage an application in production need an effective method to gauge the security posture of their application in real-time. This is made possible by IAST. Another alluring advantage of an IAST is the prioritization of security patches which can be achieved through scientific metrics, like the severity and the exploitability of a defect.
The second key benefit is speed. Several security tools, especially SAST and DAST tend to be slow during run-time. This severely hinders DevOps pipelines, where the typical activities run at a much faster pace.
Tools like Hdiv Detection allow engineering teams to use a single tool in the DevSecOps pipeline and simultaneously detect issues with code and while dynamic security flaws in the application, due to the instrumented nature of the security review process. This in addition to reducing false positives also increases the speed of identifying security issues.
Fewer false positives
Unlike SAST and DAST tools, IAST tools leverage instrumentation to perform security scanning and testing. Instrumentation techniques are commonly used to identify performance bottlenecks and data flow in the application through a process of tracing, profiling and logging.
In terms of application security, instrumentation works as “three tools in one”. IAST tools are deployed in the application container (app server) as the application or in the Developer’s IDE and have the “inside scoop” on all the data flows, code and third-party libraries. As a result, IAST tools are able to detect security vulnerabilities like SQL Injection, Insecure Deserialization and many other popular application security flaws with a combination of static and dynamic analysis with nearly no false positives.
Additionally, the IAST technology is much more accurate in identifying the root cause of the finding. One of the key challenges that engineering teams face, is when developers are unable to recreate security bugs from tool findings. Even for findings that are typically dynamic, IAST tools are able to identify the finding to the specific line number in the code, simply because the tool has a view of both the static and dynamic context of the application.
Discussions around security tools are never complete without considering how they affect development teams. IAST solutions provide developer-friendly information and come with bug tracking tool integrations. Which means developers get to see functional and security defects in the same light. A big plus for IAST solutions.
IAST as a technology platform shows great promise, and while it’s not without its downsides (platform and framework limitations), it has great potential to become an extremely influential piece of application security technology. One IAST solution that I’ve seen work well, and is, therefore, a regular feature in my DevSecOps training, is Hdiv Detection. It’s comprehensive in its analysis and complete in its reporting. My favorite feature, however, is the ease with which you can install it. If you want to evaluate this solution further you can do that here.