Interactive Application Security Testing (IAST)

What benefits does IAST offer?

IAST shifts testing left in the SDLC. IAST generally takes place during the test/QA stage of the software development life cycle (SDLC). IAST effectively shifts testing left, so problems are caught earlier in the development cycle, reducing remediation costs and delays. Many tools can be integrated into continuous integration (CI) and continuous development (CD) tools. The latest-generation tools return results as soon as changed code is recompiled and the running app retested, helping developers identify vulnerabilities even earlier in the development process.

IAST provides accurate results for fast triage. To keep pace with the demand for rapid development of web applications, organizations need accurate, automated security testing tools that scale to process hundreds of thousands of HTTP requests while returning results with low false-positive rates. DAST tools often generate many false positives but don’t specify lines of code for identified vulnerabilities, making it difficult to triage results and easily eliminate false positives. Both IAST and SAST can provide detailed information (including lines of code) to help development and security teams triage test results.

IAST pinpoints the source of vulnerabilities. IAST does analysis from within applications and has access to application code, runtime control and dataflow information, memory and stack trace information, HTTP requests and responses, and libraries, frameworks, and other components (via an SCA tool). This analysis allows developers to pinpoint the source of an identified vulnerability and fix it quickly.

IAST integrates easily into CI/CD. Web application development teams and DevOps teams require AppSec tools that integrate seamlessly with standard build, test, and QA tools without extensive configuration or tuning to reduce false positives. These tools should be easy to deploy, update, and scale to support large enterprise requirements. IAST is the only type of dynamic testing technique that integrates seamlessly into CI/CD pipelines.

IAST allows for earlier, less costly fixes. Security and development teams need AppSec tools that find vulnerabilities and enable developers to fix them early in the SDLC, when developers are most familiar with their code and errors and vulnerabilities are least costly to fix from a resources and security risk posture perspective. SAST and SCA tools are typically used during the development stage, while IAST is used during the test/QA stage. Results are fed back to developers, who fix identified vulnerabilities during the development stage.

Why is IAST an important security activity?

According to the 2017 Verizon Data Breach Investigations Report, 29.5% of breaches were caused by web application attacks (by far the most common vector). Web apps are the attack surface of choice for hackers attempting to break through to get access to sensitive IP/data and personal data, such as usernames and passwords, credit card numbers, and patient information. Organizations should ensure that web applications are secure, ideally before they are deployed in production, when they could be at risk of security attacks and costly data breaches. Further, developers should be able to perform quick fixes when critical vulnerabilities are discovered.

While development and security teams often use SAST and SCA solutions to identify security weaknesses and vulnerabilities in proprietary and open source code in their web applications, detection of many vulnerabilities can be done only by dynamically testing the running application.

IAST identifies security vulnerabilities in running applications while providing developers with the relevant lines of code and contextual remediation advice. That way, they can find and fix security vulnerabilities quickly, before web apps go into production, lowering the risk of security attacks that result in data breaches.

What are the key steps to run IAST effectively?

1. Deploy DevOps. IAST requires integration into your CI/CD environment.
2. Choose your tool. Select a tool that can perform code reviews of applications written in the programming languages you use and that is compatible with the underlying framework used by your software.
3. Create the scanning infrastructure and deploy the tool. Set up access control, authorization, and any integrations required, such as Jira for bug tracking, to deploy the tool.
4. Customize the tool. Fine-tune the tool to suit the needs of your organization. Integrate the tool into the build environment, create dashboards for tracking scan results, and build custom reports.
5. Prioritize and add applications. Once the tool is ready, add your applications. If you have many applications, prioritize the high-risk web applications to scan first.
6. Analyze scan results. Triage your scan results to remove false positives. Track and remediate any vulnerability issues as early in the SDLC as possible.
7. Provide training. Train your development and security teams on how to use the results from the IAST tool effectively and how to incorporate them into the application development and deployment process.

How is IAST different from DAST?

Using DAST tools to find security vulnerabilities during test/QA or when apps are released to production is inefficient and potentially expensive because DAST can’t identify vulnerable lines of code. IAST is likely to displace some DAST usage over time for two reasons: It provides significant advantages by returning vulnerability information and remediation guidance rapidly and early in the SDLC, and it can be integrated into CI/CD and DevOps workflows, whereas DAST cannot. Gartner believes that “by 2019, enterprise IAST adoption will have exceeded 30 percent” (Dionisio Zumerle and Ayal Tirosh, Magic Quadrant for Application Security Testing, Gartner, Feb. 2017).