Now it’s time to answer the question I put in the headline. While every application and CI/CD pipeline can be different, here are some common reasons why to choose IAST:
- IAST identifies high and critical vulnerabilities at much lower cost as compared to static application security testing (SAST) and DAST.
- Some vulnerabilities marked as fixed at earlier stages of the pipeline still can be found at the testing stage in running applications.
- IAST identifies actual exploitable vulnerabilities in a running application, so it’s much easier to prioritize remediation activities.
- There’s a significant reduction of penetration testing costs, as most of the exploitable vulnerabilities are found by IAST.
You may also ask how this helps to remediate critical vulnerabilities within one day, another question I asked in the beginning. Let’s be honest, IAST or any other technology is not a silver bullet that alone can solve the problem. But in order to remediate critical vulnerabilities faster, you need to start detecting them faster and more accurately, without spending days (or even weeks) looking at false positives or true positives that aren’t exploitable/reachable. That’s exactly what IAST does for you.