What is IAST?

Between white-box testing like SAST and black-box testing like DAST stands another acronym: IAST. Interactive Application Security Testing (IAST) is part of the toolbox available for the development and testing phases of the SDLC. It is a runtime code analysis technology that works differently than SAST and DAST, but combines their benefits to provide greater accuracy during application security testing.

How does IAST work?

There are actually two types of IAST methodologies: active and passive. Both methodologies rely on an agent instrumented within the application.

  • Active IAST: This one requires a DAST tool or other active scanning to function. The IAST tool will reduce some of the false negatives and positives from DAST results, such as flagging non-reflective attacks, or validate a detected vulnerability. While it provides very accurate results, Active IAST does not suit fast-paced development environments, since DAST requires full compilation upon every code change and can only be used towards the end of the SDLC.
  • Passive IAST: Here the agent is independent and works in the background to monitor and analyze the code while the application is in runtime. It does not perform attacks and scans to detect the vulnerabilities. Any sort of testing performed on the application, whether automatic or manual, will be leveraged to collect and deliver security issues on the running code in real-time.

IAST tools sit within an application to uncover vulnerabilities. Since they are running from within the application, IAST tools detect vulnerabilities in running code, whether it be custom code, third-party libraries, or even code generated on the fly by the framework. The agent is able to monitor HTTP requests and responses, calls to the databases, the data flows, and configuration information. The tool then shows the reflection of the source code and points out the location of vulnerabilities for developers.

The results can be displayed in the web browser toolbar, the server console, a dedicated user interface, and/or generated reports, and they can be integrated within an issue tracking tool.

What are IAST’s advantages?

One of the key benefits of IAST tools is that they combine SAST’s advantage of source code access with DAST’s execution visibility. That is how IAST tools are able to tie a vulnerability they find to the lines of source code causing it.

Passive IAST tools deliver clear and actionable results in real-time while functional tests are being performed. Consequently, no additional time is added to the SDLC for security scans. Also, no maintenance is needed when changes are made to the application, and the tools scale well. These advantages are particularly useful in today’s fast-paced agile development landscape and more so for teams adopting DevOps and DevSecOps.

IAST tools can be useful during different phases of the SDLC. While they can be used early on during the development phase to deliver a lot of value to the developers and help educate them in secure coding, the QA and testing phases can also benefit from IAST capabilities. IAST tools can even be extended to production environments by leveraging production data to enable advanced fuzzing of the application.

Furthermore, IAST tools achieve a high accuracy rate because they verify every identified vulnerability to make sure it is real and exploitable (i.e. they have a very low false positive rate). They will also help identify which part of the code didn’t run. Thus, more functional testing could be designed to expand the coverage.

Finally, some advanced IAST tools can create new tasks in your issue tracking tool to log the security issues to be fixed.

What are IAST’s drawbacks?

IAST tools have to be embedded within the tested application and are based on code instrumentation. As such, they are server-side and language-specific. This means that some IAST tools aren’t able to catch client-side vulnerabilities.

IAST tools test the parts of the application that are being executed, which means that it falls on the developer or the tester to make sure that the testing scenarios cover all the areas of the application. That’s where leveraging production data can be helpful.

IAST tools are non-blocking, which means that they only report the vulnerability but will not block the query. If the objective is to monitor real traffic and block suspicious activities in production, RASP tools are better suited for the need.

Where do IAST tools fit in?

IAST tools can be looked at as an evolution on the SAST and DAST approaches. They are well suited for development, testing, and/or QA environments to identify security vulnerabilities. They can also be used in production environments to analyze test traffic. For protecting production applications however, RASP tools are the right choice. They are able to monitor real traffic and block attacks in real-time.