Interactive Application Security Testing (IAST) application security tools complement and replace legacy Automatic Security Testing (AST) tools such as SASTs and DASTs. We believe that IAST tools are one of the best investments developers can make to improve the security of their applications. You can also browse our IAST Detection tool section in the Hdiv Security website, and do not hesitate to reach out if you have questions or comments.
Table of contents
What is Interactive Application Security Testing (IAST)?
What are the main benefits of an IAST tool?
How is IAST different from SAST and DAST?
What are the differences between active IAST and passive IAST?
What are some examples of IAST use cases?
What are the main drawbacks of IAST tools?
What is Hdiv Detection (IAST)?
FAQ’s about IAST
What is Interactive Application Security Testing (IAST)?
An Interactive Application Security Tool is a fairly new type of application security tool that focuses on the detection of security issues in the code of your applications. Designed to run in the application server as an agent, they provide real-time detection of security issues by analyzing the traffic and the execution flow of your applications. There is no need to modify the applications, nor conduct specific penetration testing activities. IAST tools detect security issues just browsing your application. There is no need to install plug-ins.
The analysis is conducted from the inside of the application, which provides an ideal vantage point to perform security testing. More specifically, the implementation relies on an agent that injects functionality in certain points of the execution of your app.
The results of the testing can be consumed in real time (using web browser toolbars and/or server-side web consoles), and also can be reported via dedicated reports. The results can also be integrated with other issue tracking tools the team might be using.
What are the main benefits of an IAST tool?
1. Accuracy
Accuracy is one of the main IAST advantages, and includes the ability to detect as many existing risks as possible (low false negative rate) while at the same time, not identify unexploitable points as exploitables (low false positive rate). Some reach 100% of OWASP Benchmark coverage with zero false positives [1]. In contrast, SAST tools offer only partial detection (not better than 80% of OWASP Benchmark) and they throw many false positives. DAST tools provide very low detection, around 10-15% of OWASP Benchmark.
Advanced IASTs integrate third-party vulnerabilities detection to identify external and open source components and known vulnerabilities.
2. Useful during all phases of the SDLC
IAST tools are not confined to a particular phase of the SDLC. Even though they deliver a lot of value during the development phase, because they help developers fix risks in real time, IAST tools are extremely useful during the QA/testing phase. Lastly, they’re also valuable when the system is in production, because ops and appsec teams can benefit from the risk detection, with little performance hit and no risk of false positives.
3. Integration with SDLC tools and DevOps practices
First, the best IAST tools can create automatically new tasks in your issue tracker to represent security issues so the developers do not have to leave the tools they use normally.
Second, they enable seamless CI/CD Environments. IAST integration stops the delivery pipeline if the number of security bugs is higher than a goal. Seek solutions that integrate with your deployment server (such as Jenkins).
And third, they fit perfectly in DevOps practices. By fostering speed, automation, and reduction of defects, they are a valuable ally for teams adopting DevOps and DevSecOps.
4. Faster time-to-market without compromising security
IASTs provide real time vulnerability detection and immediate feedback. Developers receive security feedback as soon as they run their code; no need to wait for additional scan processes to finish.
The feedback is extremely clear and actionable, and it includes the type of vulnerability and exact location in the source code of the application (to the line level). For developers, this means that in the long run, IASTs’ real time feedback educates them in secure coding practices. At the same time, QA testers can quickly identify security vulnerabilities without extensive application security experience, because the results are highly reliable and specific. This saves time in the testing phase. And lastly, application security experts can stop wasting time chasing vulnerabilities and false positives and focus on strategic security initiatives.
5. Static and Dynamic visibility
One of the key benefits is the visibility of the application source code (static view) and the request execution view (dynamic view). The combination of the static and dynamic view is one of the key drivers behind the high accuracy mentioned above, and the actionability of the feedback, which provides the source code file and line number of the risk.
BONUS: Free White Paper
Eliminate the noise of false positives with IAST technology. Learn the answers to the key questions regarding IAST tools.
Get Your Whitepaper
How is IAST different from SAST and DASTs?
IASTs are a natural evolution of the previous generation of Application Security Testing tools: Static Application Testing tools (SAST) and Dynamic Application Testing tools (DAST).
IAST vs SAST
Static Application Security Testing tools examine source code in a non-runtime environment early in the SDLC. They look for suspicious code patterns that indicate security risks. Even though they are easy to deploy, SASTs throw too many false positives because SASTs do not take into account the presence of other security countermeasures, and they lack visibility during runtime. SAST tools normally run inside the IDE as part of the compilation phase, and introduce delays as the scan process takes time to finish. IASTs are more flexible than SASTs, because they are applicable in production runtime environments (SASTs require direct access to the source code.)
IAST vs DAST
Essentially, a Dynamic Application Security Testing tool is a black-box scanner that executes requests against the application to find security issues. DASTs look at the applications from the exterior and determine the presence of risks by looking at the response (including body and headers) of the server to a battery of tests, but DASTs have no visibility of the internal workings of the app. Furthermore, DAST tests are hard to automate, because DASTs must be operated by experienced appsec teams, such as penetration testers, to be truly useful. Forrester estimates that the duration of a DAST scan can take around 5 to 7 days, while testing with IAST is a real-time (zero minutes) operation [2].
For additional details, this post describes in detail the differences between IAST and SAST and DAST.
What are the differences between active IAST and passive IAST?
The main difference between active and passive IAST is that active implementations require a separate traffic inducer component (typically a DAST) that generates attack requests that the IAST component detects, whereas passive IAST implementations do not require a secondary inducer component because any kind of legitimate traffic is enough to perform the security analysis. That is why passive IAST is also known as “full,” and active IAST is known as “partial” or “lite.”
The complexity of having to deploy two components and generate attack traffic means that active implementations are less adequate for the development stage, and in general, less suitable for DevSecOps pipelines. The detection accuracy in active models is worse than that of passive IAST, due to architectural limitations, so active IASTs will miss some types of security vulnerabilities.
Additionally, active IASTs introduce delays as the traffic inducer must launch a scan phase, compared to the instant results that passive IASTs deliver. Read this other BORNSECURE post for additional details about the difference between active IAST and passive IAST.
What are some examples of IAST use cases?
As mentioned above, IASTs are helpful during all phases of the SDLC. Let’s review three typical stages of any software lifecycle and discuss some advantages of security testing and good practices. For additional information, click on the link as BORNSECURE has dedicated posts for each of the three stages:
IAST in the development stage
Developers greatly benefit from the IAST technology as it allows to solve security vulnerabilities early in the development cycle, which reduces the remediation costs, serves as developer training, and reduces the need of having application security experts in the team. Look for tools that integrate with the task management systems the team is already using, such as Jira and Asana, as well as those that integrate with IDEs to provide immediate feedback.
IAST in the QA stage
The Quality Assurance environment can incorporate automated security checkpoints that define specific quality gates, such as the number and type of vulnerabilities. These checkpoints can be incorporated into the CI-CD tools, and since there is no need to wait for a scan, it is devops-friendly.
IAST for production stages
Operations teams love IASTs for the production stage because it is almost impossible to fix all vulnerabilities before going to production, so it is very valuable to know which issues are the most serious. This information helps to prioritize patches and to monitor the stability of the entire system.
What are the main drawbacks of IAST tools?
The internal architecture is based on code instrumentation, and therefore it is language-specific in terms of server-side infrastructure. The good news is that the most popular web application and API development languages (Java and .NET) are extensively supported. There are no requirements for client-side infrastructure.
In terms of protection, IAST security testing tools are non-blocking, meaning that even when a risk is detected the execution flow continues in the server. Teams that are interested in providing active protection (including blocking suspicious requests) should consider blocking protection products such as RASPs –that share the same architecture with an IAST.
What is Hdiv Detection (IAST)?
Hdiv Detection (IAST) finds security vulnerabilities in applications by using the IAST security testing approach. Hdiv Detection leverages native instrumentation of the application server, so there is no need to scan the source code or attack the application to find security vulnerabilities. The entire application is reviewed, including its dependencies such as open-source components and third-party outsourced code with no source code available.
On top of the IAST architecture benefits discussed above, Hdiv Detection includes a developer toolbar and IDE integration so that the security vulnerabilities are displayed in real-time from the beginning. Hdiv Detection integrates with task tracking systems, and with CI/CD tools. Here you can see Hdiv Detection in action:
FAQ’s about IAST
Can I detect vulnerabilities in real-time with an IAST tool?
Yes! IAST tools are designed to run in the application server as an agent, so it provides real-time detection of security issues by analyzing the traffic and execution flow of your applications. There is no need to modify the applications, nor to conduct specific penetration testing activities. IAST tools detect security issues just browsing your application.
Can an IAST tool detect security vulnerabilities inside compiled code?
Yes! The agent of an IAST tool sees the compiled code of your application, the income requests and how your code manipulates the data through the request lifecycle, including third party libraries, and the communication with the container and/or operating system.
What is the accuracy of an IAST tool?
Accuracy includes the ability to detect as many existing risks as possible (low false negative rate) while at the same time, not identifying unexploitable points as exploitable (low false positive rate). Some IAST tools reach 100% of OWASP Benchmark coverage with zero false positives.
Can an IAST tool detect security vulnerabilities on third-party libraries?
Advanced IAST integrates third-party vulnerability detection to identify external and open source components with known vulnerabilities. This is important because the quantity of third-party code libraries has been steadily increasing in the last few years. This includes open source projects and infrastructure support libraries.
In which part of the SDLC is an IAST tool useful?
IAST tools are not confined to a particular phase of the SDLC. Even though they deliver a lot of value during the development phase, because they help developers fix risks in real-time, IAST tools are extremely useful during the QA/Testing phase. Lastly, IAST’s are also valuable when the system is in production, because Operations and AppSec teams can benefit from the risk detection with little performance hit and no risk of false positives.
How can I integrate an IAST tool with SDLC or DevOps practices?
First, the best IAST tools can automatically create new tasks in your issue tracker to represent security issues so developers can still use their normal tools. No need to check a different tool or a static report.
Second, IAST tools enable seamless CI/CD environments. IAST tools introduce automatic security controls and checkpoints to enforce quality goals: the same way that failed unit tests and compilation errors stop the CI/CD process, unsolved security issues block the build process.
And third, IAST tools fit perfectly in DevOps practices. By fostering speed, automation, and reduction of defects, IAST tools are a valuable ally for teams adopting DevOps and DevSecOps. IAST’s do not block the build pipeline because the results are ready in real-time: no scan time is required.
How does an IAST tool improves the “time-to-market” of an application?
IAST’s provide real-time vulnerability detection and immediate feedback. Developers receive security feedback as soon as they run their code; no need to wait for additional scan processes to finish. Zero scan time and continuous vulnerability detection means that developers can focus on writing secure code.
The feedback is extremely clear and actionable and it includes the type of vulnerability and exact location in the source code of the application (to the line level). For developers, this means that in the long run, IAST’s real time feedback educates them in secure coding practices. At the same time, QA testers can quickly identify security vulnerabilities without extensive application security experience because the results are highly reliable and specific. This saves time in the testing phase. And lastly, application security experts cna stop wasting time chasing vulnerabilities and false positives and focus on strategic security initiatives.
As a Developer, how do I accelerate the delivery of code without compromising security?
One of the key benefits that IAST tools offer is the visibility of the application source code (static view) and the request execution view (dynamic view). The combination of the static and dynamic views is one of the key drivers behind the high accuracy of IAST tools, resulting in a low false positive rate.
Remove slow code scanning activities and instead use an IAST to receive real time information on your security issues as you code.
I am part of the QA team, who is assessing the security of an application prior to its acceptance?
QA teams use IAST tools in conjunction with scanner tools, so security can be validated in the same way that regular functionality is validated. Seek IAST solutions that integrate with your deployment server (such as Jenkins).
If you are interested in learning more about the IAST model, check out the following white paper and let us know what you think. We hope it is useful for you as you consider how to improve your application security strategy.
Sources:
[1] Hdiv IAST OWASP Benchmark results
[2] Forrester Research, Construct A Business Case For Interactive Application Security Testing, November 2017