The term interactive application security testing (IAST) applies to security testing where the testing tool interacts with a running application and observes it from the inside in real time. Note that the term IAST can refer both to the security testing methodology and to tools that use this approach.
Interactive application security testing solutions are designed to test web application frameworks and APIs. Very few IAST solutions exist for mobile and desktop applications.
IAST is also referred to as gray-box testing.
Interactive application security testing tools work by running checks on the codebase of an application as the code is being executed by the web server or application server. This AppSec technology fills the gap between static application security testing, which involves checking static (not running) code, and dynamic application security testing, which checks the application from the outside only.
IAST may be implemented as part of automation workflows (CI/CD pipelines) but is just as useful during scheduled or manual application testing processes. One of the biggest benefits of IAST is that, just like static code analysis, it is able to pinpoint the problem to the line of code. If the IAST tool works on bytecode, it is usually able to reverse-engineer the intermediate code and isolate the issue in the corresponding source code.
Note that application security tools, unlike anti-malware tools, do not perform remediation. Their job is only to find typical security issues in an application, such as SQL injection and cross-site scripting (XSS) vulnerabilities – not to fix them. Any security risks that are found need to be eliminated manually by development teams.
Because the concept of IAST is relatively new compared to DAST and SAST, and was initially devised to cover a variety of approaches by different vendors, the term may apply to cybersecurity tools that differ significantly in what they do. In general, there are three classes of IAST tools available on the market.
Most tools provide only a sensor that attaches to the running application. If this sensor notices something suspicious as the application is running, it reports it to the IAST solution’s dashboard. Such tools are usually induced by QA testing (unit tests) and cover only the code that is included in QA testing.
A large selection of IAST tools on the market are delivered by DAST makers but as separate (non-integrated) products, often called DAST-induced IAST (a term used originally by Gartner). These use DAST to activate IAST sensors but do not collate data from the two sources. They work just as if you took a passive IAST solution and combined it with a completely separate DAST.
A handful of tools on the market go a step further than active IAST and these have been dubbed true IAST. This is because for these tools, there is actual interaction between the inducing element (a DAST scanner) and the IAST sensor. The two communicate and influence each other to provide better test results, attain a very low false-positive rate, and fully confirm security vulnerabilities. All the DAST and IAST results are also collated into a common reporting interface. Invicti and Acunetix by Invicti are examples of such true IAST tools.
All IAST tools need sensors to monitor the running application, but there are a few different ways of implementing the sensors. That is why there are two broad classes of IAST sensors:
Most IAST tools on the market, especially passive IAST, work on the basis of invasive sensors. This means that for the IAST tools to work, the developer must introduce changes to the source code – this is called instrumentation.
The downside of this approach is that the business must maintain two separate branches of their source code: one with IAST sensors and one without them. This introduces extra complexity and can lead to organizational problems.
A few IAST tools use a different method of monitoring. Their sensors are not placed in the source code and don’t need any code modifications. Instead, the sensors attach directly to the server-side runtime environment and “listen in” on the code as it is executed by the web server or application server.
Tools that use non-invasive sensors are able to scan applications without any changes to the source code or configuration. In practice, this means that developers don’t need to prepare separate code branches for security testing.
Invicti and Acunetix by Invicti are two examples of tools that use non-invasive sensors.
Interactive application security testing should be a part of a complete security testing program that includes other web application security testing methods, such as dynamic application security testing (DAST, or black-box testing), static application security testing (SAST, or white-box testing), software composition analysis (SCA, used to analyze open-source components), RASP (runtime application self-protection), and manual penetration testing. IAST has several advantages over other testing methodologies.
Interactive application security testing also has some disadvantages in relation to other application security testing methodologies.
Keeping these advantages and disadvantages in mind, it is best practice to only use IAST together with DAST and/or SAST. When using active IAST or true IAST, this is a natural combination because these types of IAST require DAST to run.
The sole function of interactive application security testing is to scan the running application code and find vulnerabilities. However, in most environments, that is not enough. That is why IAST tools either offer extra functionality or come bundled with accompanying software, which offers the following functions:
Many IAST providers offer bundles that include not just vulnerability assessment and vulnerability management (usually as separate applications within the same environment) but also other types of application security scanning, such as DAST and IAST.
Some vendors provide a combination of DAST, IAST, vulnerability assessment, and vulnerability management in a single solution. DAST and IAST are a natural combination and professional DAST tools come with vulnerability assessment and management functionality built in. Examples of such solutions are Invicti and Acunetix by Invicti.
There are two distinct methods to implement IAST in an agile DevOps/DevSecOps workflow, depending on the type of IAST:
The term interactive application security testing (IAST) applies to security testing where the testing tool interacts with a running application and observes it from the inside in real time. Note that the term IAST can refer to both the security testing methodology and the tools that use this approach.
Read the Invicti whitepaper “Changing the DAST Game with Invicti IAST.”
Passive IAST tools provide only a sensor that attaches to the running application, usually induced by QA testing. Active IAST tools use DAST to activate IAST sensors but do not collate data from the two sources. True IAST tools like Invicti and Acunetix have actual interaction between the DAST scanner and the IAST sensor. The two communicate and influence each other to provide better test results, attain a very low false-positive rate, and fully confirm many security vulnerabilities.
Read more about the Invicti IAST solution.
A comprehensive security program should include different types of tools as they complement one another. This means you should aim to use DAST, SAST, and IAST. However, if your budget is limited or if you are just starting out, DAST will be the best choice as your first or only solution, as it is the most versatile and the easiest to set up. With Invicti and Acunetix DAST solutions, you can even get DAST and IAST together.
Learn why DAST is the best way to begin your security journey.
Written by: Tomasz Andrzej Nidecki, reviewed by: Zbigniew Banach
IAST (interactive application security testing) is an application security testing method that tests the application while the app is run by an automated test, human tester, or any activity “interacting” with the application functionality.
The core of an IAST tool is sensor modules, software libraries included in the application code. These sensor modules keep track of application behavior while the interactive tests are running. If a vulnerability is detected, an alert will be sent.
The process and feedback are done in real time in your integrated development environment (IDE), continuous integration (CI) environment, or quality assurance, or while in production. The sensors have access to:
Examples of such vulnerabilities could be hardcoding API keys in cleartext, not sanitizing your users inputs, or using connections without SSL encryption.
Static Application Security Testing method examine source code in a non-runtime environment early in the SDLC. They look for suspicious code patterns that indicate security risks. Even though they are easy to deploy, SASTs throw too many false positives because SASTs do not take into account the presence of other security countermeasures, and they lack visibility during runtime. SAST tools normally run inside the IDE as part of the compilation phase, and introduce delays as the scan process takes time to finish. IASTs are more flexible than SASTs, because they are applicable in production runtime environments (SASTs require direct access to the source code).
Dynamic Application Security Testing method is works like a black-box scanner that executes requests against the application to find security issues. DASTs look at the applications from the exterior and determine the presence of risks by looking at the response (including body and headers) of the server to a battery of tests, but DASTs have no visibility of the internal workings of the app. Furthermore, DAST tests are hard to automate, because DASTs must be operated by experienced appsec teams, such as penetration testers, to be truly useful. Forrester estimates that the duration of a DAST scan can take around 5 to 7 days, while testing with IAST is a real-time (zero minutes) operation.
Previous: What Is Code Scanning?
Comments
Please Join Us to post.
0