IAST Q&A: An introduction to Interactive Application Security Testing

The application security community is adopting IAST tools to complement and replace legacy Automatic Security Testing (AST) tools such as SASTs and DASTs. We believe that IASTs are one of the best investments developers can make to improve the security of their applications. Learn the IAST basics in our Q&A. You can also browser our IAST section in the Hdiv Security website, and do not hesitate reaching our if you have questions or comments.

Q: What is Interactive Application Security Testing (IAST)?
Q: What are the main benefits of a IAST?
Q: How are IASTs different from SASTs and DASTs?
Q: What are the main drawbacks of IASTs?

Q: What is Interactive Application Security Testing (IAST)?

An IAST is a fairly new type of application security tool that focuses on the detection of security issues in the code of your applications. Designed to run in the application server as an agent, IAST tools provide real-time detection of security issues by analyzing the traffic and the execution flow of your applications. There is no need to modify the applications, nor conduct specific penetration testing activities. IAST tools detect security issues just browsing your application. There is no need to install plug-ins.

The analysis is conducted from the inside of the application, which provides an ideal vantage point to perform security testing. More specifically, IAST tools are typically implemented via an agent that injects functionality in certain points of the execution of your app.

The results of the testing can be consumed in real time (using web browser toolbars and/or server-side web consoles), and also can be reported via dedicated reports. The results can also be integrated with other issue tracking tools the team might be using.

Q: What are the main benefits of a IAST?

1. Accuracy

Accuracy includes the ability to detect as many existing risks as possible (low false negative rate) while at the same time, not identify unexploitable points as exploitables (low false positive rate). Some IAST tools reach 100% of OWASP Benchmark coverage with zero false positives [1]. In contrast, SAST tools offer only partial detection (not better than 80% of OWASP Benchmark) and they throw many false positives. DAST tools provide very low detection, around 10-15% of OWASP Benchmark.

The pink dot represents OWASP Benchmark results for Hdiv IAST. Y axis represents grade of coverage of a battery of tests (A to L) and X axis represents false positive rate for the same test. Hdiv IAST delivers 100% detection with no false positives

Advanced IASTs integrate third-party vulnerabilities detection to identify external and open source components and known vulnerabilities.

2. Useful during all phases of the SDLC

IAST tools are not confined to a particular phase of the SDLC. Even though they deliver a lot of value during the development phase, because they help developers fix risks in real time, IAST tools are extremely useful during the QA/testing phase. Lastly, IASTs are also valuable when the system is in production, because ops and appsec teams can benefit from the risk detection, with little performance hit and no risk of false positives.

3. Integration with SDLC tools and DevOps practices

First, the best IAST tools can create automatically new tasks in your issue tracker to represent security issues so the developers do not have to leave the tools they use normally.

Second, IAST tools enable seamless CI/CD Environments. IAST integration stops the delivery pipeline if the number of security bugs is higher than a goal. Seek solutions that integrate with your deployment server (such as Jenkins).

And third, IAST tools fit perfectly in DevOps practices. By fostering speed, automation, and reduction of defects, IAST tools are a valuable ally for teams adopting DevOps and DevSecOps.

4. Faster time-to-market without compromising security

IASTs provide real time vulnerability detection and immediate feedback. Developers receive security feedback as soon as they run their code; no need to wait for additional scan processes to finish.

The feedback is extremely clear and actionable, and it includes the type of vulnerability and exact location in the source code of the application (to the line level). For developers, this means that in the long run, IASTs’ real time feedback educates them in secure coding practices. At the same time, QA testers can quickly identify security vulnerabilities without extensive application security experience, because the results are highly reliable and specific. This saves time in the testing phase. And lastly, application security experts can stop wasting time chasing vulnerabilities and false positives and focus on strategic security initiatives.

5. Static and Dynamic visibility

One of the key benefits that IAST tools offer is the visibility of the application source code (static view) and the request execution view (dynamic view). The combination of the static and dynamic view is one of the key drivers behind the high accuracy mentioned above, and the actionability of the feedback, which provides the source code file and line number of the risk.

Q: How are IASTs different from SASTs and DASTs?

IASTs are a natural evolution of the previous generation of Application Security Testing tools: Static Application Testing tools (SAST) and Dynamic Application Testing tools (DAST).

IAST compared to SAST:
Static Application Security Testing tools examine source code in a non-runtime environment early in the SDLC. They look for suspicious code patterns that indicate security risks. Even though they are easy to deploy, SASTs throw too many false positives because SASTs do not take into account the presence of other security countermeasures, and they lack visibility during runtime. SAST tools normally run inside the IDE as part of the compilation phase, and introduce delays as the scan process takes time to finish. IASTs are more flexible than SASTs, because they are applicable in production runtime environments (SASTs require direct access to the source code.)

IAST compared to DAST:
Essentially, a Dynamic Application Security Testing tool is a black-box scanner that executes requests against the application to find security issues. DASTs look at the applications from the exterior and determine the presence of risks by looking at the response (including body and headers) of the server to a battery of tests, but DASTs have no visibility of the internal workings of the app. Furthermore, DAST tests are hard to automate, because DASTs must be operated by experienced appsec teams, such as penetration testers, to be truly useful. Forrester estimates that the duration of a DAST scan can take around 5 to 7 days, while testing with IAST is a real-time (zero minutes) operation [2].

Q: What are the main drawbacks of IASTs?

The IAST architecture is based on code instrumentation, and therefore it is language-specific in terms of server-side infrastructure. The good news is that the most popular web application and API development languages (Java and .NET) are extensively supported. There are no requirements for client-side infrastructure.

In terms of protection, IAST tools are non-blocking, meaning that even when a risk is detected the execution flow continues in the server. Teams that are interested in providing active protection (including blocking suspicious requests) should consider blocking protection products such as RASPs –that share the same architecture with an IAST.

Sources: