Posted by Julian Alvarado on December 11, 2018
With so many vendors to choose from, finding the perfect IAST solution for your organization’s needs can be difficult. Here’s a checklist of 8 must-have features for any good IAST tool.
Many are hailing interactive application security testing (IAST) as the next step in the evolution of application testing, and for good reason. Gartner expects IAST adoption to have exceeded 30% by 2019. Why? IAST provides significant advantages over some testing methodologies, and it complements others for better coverage.
In our new eBook, Interactive Application Security Testing 101, we examine how organizations should evaluate IAST solutions. Selecting the right IAST tool is critical for businesses that have web applications because they are the ideal attack vector by hackers attempting to gain access to sensitive IP and personal information.
There are many considerations to be made when selecting IAST tools and equally as many vendors to choose from. No matter what IAST solution your organization chooses, we recommend that it, at the minimum, contain the following features:
|Must-have||Why it’s important|
|Updated security dashboards for standards compliance: PCI DSS, OWASP Top 10, SANS/CWE||You need insight into security risks, trends, and coverage, as well as security compliance for running web apps (including custom code and open source components).|
|Fast, accurate, and comprehensive results out of the box, with low false-positive rates||You need to spend less time finding and remediating false positives. But you can’t waste time configuring and tuning your tools to reduce them.|
|Automated identification and verification of vulnerabilities||You want to free up your teams to find and fix more complex vulnerabilities. So you need a tool that verifies each vulnerability and doesn’t inundate you with false positives.|
|Sensitive-data tracking (e.g., PII and company IP)||You need to achieve compliance with key industry security standards (e.g., PCI DSS and GDPR) by setting parameters to automatically track sensitive data in applications.|
|Ease of deployment in DevOps agile workflows||Your web app development and DevOps teams rely on agile development and automation. So they need AppSec tools that seamlessly integrate with standard build, test, and QA tools and “just work.”|
|Enterprise-grade SCA binary analysis integration||You need visibility into security vulnerabilities and license types and versions in open source and third-party components, libraries, and frameworks.|
|Detailed security guidance and remediation advice||Your developers need detailed and contextual information about vulnerabilities, where they are located in their code, and how to remediate them.|
|Optimal support for microservices||You need an IAST solution that can easily bind together multiple microservices from a single app for assessment.|
Get the latest AppSec news and trends sent directly to you.