close search bar

Sorry, not available in this language yet

close language selection

How does IAST fit into DevSecOps?

Synopsys Editorial Team

Mar 10, 2020 / 3 min read

Table of Contents

Application security testing has become more prevalent, leading to the need for more effective tools in the software development life cycle (SDLC). Initially, this may bring to mind SASTDAST, and penetration testing (pen testing), given their history of working well in legacy software development environments. However, with the emergence of new technologies and practices such as containers, microservices, and DevOps, these traditional tools struggle to keep up with the fast pace of modern application delivery.

Consequently, interactive application security testing (IAST) has emerged to address security testing challenges, especially those found in DevSecOps. IAST is a new generation of application security testing that bridges the gaps between SAST, DAST, and pen testing. You could even say that IAST was made for DevSecOps and the closely allied SDLC concepts of agile and CI/CD (continuous integration/continuous delivery).

Benefits of IAST in DevSecOps

Many organizations already recognize how well IAST works in rapid development cycles, but there is plenty of room for it to grow. Recent survey results show that 25% of cyber security professionals don’t know whether their organizations are using IAST. However, IAST adoption is expected to grow as DevSecOps organizations learn more about the many benefits of using IAST, including these:

Integration and automation

IAST combines the best of DAST (dynamic application security testing), which tests running applications for real vulnerabilities, and SAST (static application security testing), which tests code in a nonrunning state and is easily integrated and automated at several points in the SDLC. And IAST doesn’t need additional scans, as it continuously monitors applications and detects vulnerabilities in real time in the background while functional testing occurs.

In fact, IAST creates virtually no delay during testing in CI/CD workflows, and an IAST solution integrated with software composition analysis (SCA) can find third-party software dependencies and detect known vulnerabilities and license conflicts in open source.

Early testing

One of the most valuable benefits that IAST brings to DevSecOps is that it can begin as early as build integration, when developers perform functional testing via web pages or APIs. IAST agents monitor an application during testing and QA stages, reporting on any vulnerabilities it discovers, and can also find configuration issues in running programs.

Overall, with IAST automatically detecting security vulnerabilities in the background, your development teams can concentrate on carrying out their usual testing and quality assurance (QA) work.

Incremental testing

One advantage of IAST over other types of security testing is its ability to validate and report only new vulnerabilities in an updated codebase. Testing on such an incremental basis, IAST enables developers to catch and correct issues earlier in the SDLC, when they are the most familiar with the code and it’s easier and less costly to fix vulnerabilities from a resources and security risk perspective.

Vulnerability verification and sensitive-data tracking

Another edge that IAST has over some other forms of application security testing in DevSecOps is its ability to pinpoint the specific lines of code where it has identified an application vulnerability. Thus, developers can save many hours trying to track down coding bugs and errors. The best IAST solutions can also automatically verify whether the vulnerabilities they find are exploitable, so developers are less likely to investigate a bug only to come to the irritating conclusion that it is nothing more than a false positive.

Another distinctive capability of some IAST solutions is the ability to track and detect sensitive-data leakages that traditional application testing tools cannot.

IAST and the modern application security program

IAST is only one element of a modern application security program. The adoption of DevSecOps and the trend toward shifting left have empowered developers to find and fix coding errors and application vulnerabilities ever earlier in the SDLC. With waterfall software development and monolithic applications quickly becoming things of the past, security tools focused on network perimeter defense bolted on at the end of the development cycle have also become passé. You need a combination of modern solutions, such as IAST, and traditional AppSec tools, such as SAST, DAST, SCA, pen testing, and security testing services, to create secure software in today’s complex development environments.

To learn more about the advantages of integrating IAST and other solutions into a modern application security program, read the new 451 Research report Designing a Modern Application Security Program.

New from 451 Research: Designing a Modern Application Security Program

Get the report

Continue Reading

Understanding Python pickling and how to use it securely

Understanding Python pickling and how to use it securely

Ashutosh Agrawal
By Ashutosh Agrawal

Apr 17, 2024 / 3 min read

Tags: Build Security into DevOps, Training
How to detect, prevent, and mitigate buffer overflow attacks

How to detect, prevent, and mitigate buffer overflow attacks

Natalie Lightner
By Natalie Lightner

Mar 31, 2024 / 8 min read

Tags: Software Integrity, Build Security into DevOps, SAST
4 approaches to vulnerability remediation

4 approaches to vulnerability remediation

Natalie Lightner
By Natalie Lightner

Mar 27, 2024 / 4 min read

Tags: SCA, Build Security into DevOps, Training, Manage Security Risks

Explore Topics

Agile, CI/CD
AppSec Best Practices
Automotive
Build Secure Software
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Software Supply Chain
Security News & Research
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security