One of the most current concepts in the Application Security Testing market is the IAST (Interactive Application Security Testing) class of products. In this post, we want to discuss the two main types of IAST security tools, active IAST versus passive IAST, and provide additional insight into how the IAST technology works. At a very high level, active IASTs are composed of two modules (a web scanner to probe the application, such as a DAST, and the IAST agent), versus passive IASTs that do not require the scanner component, because any kind of traffic stimulates the security vulnerability assessment.
Many application security vendors are embracing IAST vulnerability detection, so it’s very important to understand that behind the IAST model you can find very different kinds of solutions.
Let’s go deeper into some of those concepts.
What is IAST (Interactive Application Security Testing)?
IAST technology is the modern evolution of Application Security Testing tools such as Static ASTs (code scanners) and Dynamic ASTs (web scanners). The goal of this class of solutions is to provide early detection of security vulnerabilities before they get a chance to get exploited by attackers.
For more details, we have introduced the IAST application security tooling in previous posts. You can see how IAST compares against its predecessors SAST and DAST in this other post that describes the principal advantages of IAST tools. And we have also provided more specific IAST use cases for the development team, quality assurance (QA) or staging team, and also for the production or operations teams as well.
BONUS: Free White Paper
Eliminate the noise of false positives with IAST technology. Learn the answers to the key questions regarding IAST tools.
Get Your Whitepaper
What is active IAST (partial IAST)
The active IAST approach combines a web scanner (such as DAST, also known as “inducer”) with an agent that works inside the application server hosting the application to provide additional analysis details, such as the location of the vulnerability in the application codebase.
In the following image we can see the active IAST architecture:
As you can see above, two different components are required to perform the security analysis: the “attack” component, and the “detect” component. The attack component scans the URLs of the application by sending a list of known attack payloads. This process can be considerably time-consuming depending on the size of the target application and the number of attack payloads. The detect component provides additional context thanks to its visibility of the internal response of the application to the traffic generated by the attack component.
The scan/attack approach also implies that only specific attack patterns are identified, which opens the door to certain types of vulnerabilities not being detected.
In addition to the complexity associated with the deployment of two separate components, particularly in the development stages of the SDLC, there are two main security limitations of this approach:
Active IASTs only analyze outside-in traffic (data from the request)
The two components work together synchronously and the traffic is generated by the scanners. Any vulnerability that relies on data originating from sources other than the request, such as a database and/or third-party APIs, will not be analyzed properly. Active IASTs do not control all data flows.
Active IASTs will miss some types of security vulnerabilities
Active IASTs do not control data transformation during the request. If the target application modifies the probe payload sent by the scanner during the request, an active IAST detection tool will miss some types of security vulnerabilities.
What is Passive IAST (or full IAST)
The passive IAST technology only needs a detection component that becomes part of the application server seamlessly as a runtime agent. The passive IAST technology does not require attacking the application nor sending specifically designed traffic to conduct the security testing.
This means that any type of regular, legal, traffic that reaches the application provides all that is needed to find security vulnerabilities. For instance, any functionality test or even a usability test will double up as a security test.
Passive IAST provides the location of the vulnerability in the application codebase, as well as the related app URL (including request parameters) associated with the vulnerability. Passive IAST architecture tracks all possible origins for data flow (request, database, external services, etc) and works even when the target application modifies the input data while processing the request.
In order to implement successful DevSecOps and fast-paced agile processes, research organizations such as Gartner specifically recommend passive IAST (full IAST) solutions. The reasons behind this recommendation include a simplified deployment model, the increased detection accuracy, and the speed of real-time actionable results –including when the application changes. This combination automates the vulnerability assessment processes. Due to these technological advantages, Gartner considers passive IASTs as “full-featured” IASTs, while active IASTs are considered “lite” implementations.
Active IAST vs passive IAST summary
The differences between active IAST and passive IAST approaches are quite relevant so teams considering adopting an IAST application security solution need to understand the implementation of each approach.
|Passive IAST Techonology||Active IAST Technology|
|Vulnerability Assessment Speed||Instant||Hours to days|
|Vulnerability Assessment Accuracy||High
100% OWASP Benchmark
|Vulnerability Assessment Methodology||Continuous||Scan-based|
Applicable during entire SDLC
Only applicable at the end
|Outside-in and Inside-out Visibility||Yes
Full data flow control
They only analyze outside-in traffic
No need to supply credentials
The DAST/scanner may need credentials
|Independent Deployment Model||Yes||No|
A secondary component that makes requests is required (i.e. DAST)
Hdiv Detection (IAST) is a passive IAST (full feature)
Hdiv Detection (IAST) leverages native instrumentation, and it does not require attacking the application to find security vulnerabilities. This simplifies the inclusion of security vulnerability detection through the lifecycle of the application, from the very beginning when developers begin the coding, to the production stage, under which regular legal traffic can be used to continuously monitor the security of the application as new versions and updates are released.
The installation of Hdiv Detection is quite simple. It just requires installing the Hdiv agent in the application server (such as Tomcat and IIS) and immediately, all applications hosted in that application server become instrumented and monitored by Hdiv Detection (IAST). As regular traffic hits the system, security vulnerabilities are reported in the Hdiv Console, or optionally, in the Hdiv Developer Toolbar.