Interactive Application Security Testing (IAST)

What is IAST?

Interactive application security testing solutions help organizations identify and manage security risks associated with vulnerabilities discovered in running web applications using dynamic testing (often referred to as runtime testing) techniques. IAST works through software instrumentation, or the use of instruments to monitor an application as it runs and gather information about what it does and how it performs. IAST solutions instrument applications by deploying agents and sensors in running applications and continuously analyzing all application interactions initiated by manual tests, automated tests, or a combination of both to identify vulnerabilities in real time. In addition, some IAST solutions integrate software composition analysis (SCA) tools to address known vulnerabilities in open source components and frameworks.

What benefits does IAST offer?

IAST shifts testing left in the SDLC. IAST generally takes place during the test/QA stage of the software development life cycle (SDLC). IAST effectively shifts testing left, so problems are caught earlier in the development cycle, reducing remediation costs and delays. Many IAST tools can be integrated into continuous integration (CI) and continuous development (CD) tools. The latest-generation IAST tools return results as soon as changed code is recompiled and the running app retested, helping developers identify vulnerabilities even earlier in the development process.

IAST provides accurate results for fast triage. To keep pace with the demand for rapid development of web applications, organizations need accurate, automated security testing tools that scale to process hundreds of thousands of HTTP requests while returning results with low false-positive rates. DAST tools often generate many false positives but don’t specify lines of code for identified vulnerabilities, making it difficult to triage results and easily eliminate false positives. Both IAST and SAST can provide detailed information (including lines of code) to help development and security teams triage test results.

IAST pinpoints the source of vulnerabilities. IAST does analysis from within applications and has access to application code, runtime control and dataflow information, memory and stack trace information, HTTP requests and responses, and libraries, frameworks, and other components (via an SCA tool). This analysis allows developers to pinpoint the source of an identified vulnerability and fix it quickly.

IAST integrates easily into CI/CD. Web application development teams and DevOps teams require AppSec tools that integrate seamlessly with standard build, test, and QA tools without extensive configuration or tuning to reduce false positives. These tools should be easy to deploy, update, and scale to support large enterprise requirements. IAST is the only type of dynamic testing technique that integrates seamlessly into CI/CD pipelines.

IAST allows for earlier, less costly fixes. Security and development teams need AppSec tools that find vulnerabilities and enable developers to fix them early in the SDLC, when developers are most familiar with their code and errors and vulnerabilities are least costly to fix from a resources and security risk posture perspective. SAST and SCA tools are typically used during the development stage, while IAST is used during the test/QA stage. IAST results are fed back to developers, who fix identified vulnerabilities during the development stage.

Learn about Seeker, our interactive application security testing solution

Learn more

Why is IAST an important security activity?

According to the 2017 Verizon Data Breach Investigations Report, 29.5% of breaches were caused by web application attacks (by far the most common vector). Web apps are the attack surface of choice for hackers attempting to break through to get access to sensitive IP/data and personal data, such as usernames and passwords, credit card numbers, and patient information. Organizations should ensure that web applications are secure, ideally before they are deployed in production, when they could be at risk of security attacks and costly data breaches. Further, developers should be able to perform quick fixes when critical vulnerabilities are discovered.

While development and security teams often use SAST and SCA solutions to identify security weaknesses and vulnerabilities in proprietary and open source code in their web applications, detection of many vulnerabilities can be done only by dynamically testing the running application.

IAST identifies security vulnerabilities in running applications while providing developers with the relevant lines of code and contextual remediation advice. That way, they can find and fix security vulnerabilities quickly, before web apps go into production, lowering the risk of security attacks that result in data breaches.

What are the key steps to run IAST effectively?

  1. Deploy DevOps. IAST requires integration into your CI/CD environment.
  2. Choose your tool. Select an IAST tool that can perform code reviews of applications written in the programming languages you use and that is compatible with the underlying framework used by your software.
  3. Create the scanning infrastructure and deploy the tool. Set up access control, authorization, and any integrations required, such as Jira for bug tracking, to deploy the tool.
  4. Customize the tool. Fine-tune the tool to suit the needs of your organization. Integrate the tool into the build environment, create dashboards for tracking scan results, and build custom reports.
  5. Prioritize and add applications. Once the tool is ready, add your applications. If you have many applications, prioritize the high-risk web applications to scan first.
  6. Analyze scan results. Triage your scan results to remove false positives. Track and remediate any vulnerability issues as early in the SDLC as possible.
  7. Provide training. Train your development and security teams on how to use the results from the IAST tool effectively and how to incorporate them into the application development and deployment process.

How is IAST different from DAST?

Using DAST tools to find security vulnerabilities during test/QA or when apps are released to production is inefficient and potentially expensive because DAST can’t identify vulnerable lines of code. IAST is likely to displace some DAST usage over time for two reasons: It provides significant advantages by returning vulnerability information and remediation guidance rapidly and early in the SDLC, and it can be integrated into CI/CD and DevOps workflows, whereas DAST cannot. Gartner believes that “by 2019, enterprise IAST adoption will have exceeded 30 percent” (Dionisio Zumerle and Ayal Tirosh, Magic Quadrant for Application Security Testing, Gartner, Feb. 2017).

Forrester report: Construct a Business Case for Interactive Application Security Testing

Download the report

What tools can be used for IAST?

Synopsys offers the most comprehensive solution for integrating security and quality into your SDLC and supply chain.

Seeker by Synopsys finds and verifies and security vulnerabilities in code during the test/QA stage of the SDLC. It provides highly accurate analysis, so developers don’t waste time on false positives.

What should you look for in an IAST tool?

  • Web APIs that enable DevOps leads to integrate testing into Jenkins builds and other enterprise-specific tools
  • Native Jira integration for bug tracking and integration into other development, QA, and test tools
  • Compatibility with any type of test method—existing automation tests, manual QA/dev tests, automated web crawlers, unit testing, etc.
  • Real-time analysis results with low false-positive rates out of the box
  • Ability to scale in a large enterprise environment
  • Fully automated, Docker-based, or manual deployment models
  • Support for microservices-based, cloud-based, and standard architecture applications
Research Paper