IAST solutions are dependent upon their ability to instrument code, which means their capabilities are dependent upon the application’s programming language. You’ll want to select an IAST tool that can perform code reviews of applications written in the programming languages you use and that is compatible with the underlying framework used by your software. Obviously, it should deploy quickly and easily, with seamless integration into CI/CD workflows. Compatibility with any type of test method—existing automation tests, manual QA/dev tests, automated web crawlers, unit testing, etc.—is another feature to look for.
The best IAST tools provide DevOps teams with the ability to both identify security vulnerabilities and also inform as to whether that vulnerability can be exploited. Any modern IAST tool should include web APIs that enable DevOps leads to integrate testing into continuous integration builds like those using Jenkins. Native integration with defect management tools like Atlassian Jira provides for streamlined defect management workflow.
With the prevalence of open source code in today’s software, effective IAST tools need to be aware of the open source composition of the applications being tested. Open source compositional analysis is the responsibility of an SCA tool. This requires the SCA tool to have a deep understanding of open source development paradigms and produce a comprehensive inventory for the open source dependencies regardless of how each dependency is linked into the application.
Understanding whether an open source vulnerability is exploitable within a given application requires an understanding of whether the vulnerable component is present, how an exploit of the vulnerability operates, and how the application uses the component. Only a combination of top-tier IAST and SCA tools can effectively identify this class of software risk and guide developers to resolution. An integrated IAST and SCA solution helps development teams build more secure software, minimize risks while maximizing their speed and productivity, and improve the quality of their software.