Interactive Application Security Testing (IAST) is a term for tools that combine the advantages of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). It is a generic term, so IAST tools may differ a lot in their approach to testing web application security. Let us explain, how these testing tools came to be, how they detect security vulnerabilities, and what are their advantages and disadvantages.
Web Application Security Testing Tools
The tools that help you secure your web applications can be, in general, divided into two classes:
SAST tools (Static Application Security Testing) also known as source code scanners:
- Work only on the source code of the application
- Pinpoint the exact cause of the problem
- Can find problems in code that is already created but not yet used in the application
- Are language-dependent: support only selected languages like PHP, Java, etc.
- Known to report a lot of false positives
- Cannot discover problems related to data or configuration
- Do not cover the security of third-party libraries or products
DAST tools (Dynamic Application Security Testing) including automated vulnerability scanners and manual penetration testing tools:
- Work only on the compiled application
- Are completely independent of the language used to create the application
- Discover problems related to data and configuration
- Report fewer false positives than SAST tools
- Cannot pinpoint the exact source of the problem (i.e. the line of code)
A web-security-savvy business would traditionally have to employ these two types of tools separately. SAST tools would be used for code review by businesses that develop their own web applications. DAST tools would be used more commonly: by all businesses that have web pages or web applications (including those that develop their own).
To make it easier for businesses, web application security tool manufacturers realized that static and dynamic testing techniques can be merged together to create better tools that would include the advantages of both. This is how IAST (Interactive Application Security Testing) was born.
The biggest problem with IAST is that the idea came to the minds of manufacturers of SAST and DAST tools independently and this resulted in products that use the same generic term but are actually quite different. IAST solutions available on the market are not built from scratch: they extend either traditional source code scanners or traditional web vulnerability scanners. As such, the customer must be careful about choosing a product that fits their needs.
SAST/IAST Tools (Passive IAST)
IAST functionality built into SAST tools give them one advantage over pure SAST. It lets such scanners confirm some of the false positives by compiling and testing the code. Therefore, the false positive rate is reduced.
However, static analysis tools with IAST functionality still retain one of their biggest disadvantages: lack of focus on third-party products. Therefore, if you use a passive IAST solution, you must simply trust that third parties deliver fully secure products, which is unfortunately often not the case.
Passive IAST tools usually search for vulnerabilities in pieces of code that are currently analyzed by the static part of the solution. This means that the entire application is not compiled and tested as a whole, which may cause certain vulnerabilities to be missed.
An IAST tool that was originally built as a SAST product still remains a source code scanner. Unfortunately, it does not include all of DAST functionality and DAST advantages. It is definitely an improvement over a pure SAST tool but does not eliminate the need for a web vulnerability scanner.
DAST/IAST Tools (Active IAST)
DAST tools with IAST functionality focus on introducing one advantage of SAST: pinpointing the source of the problem so that your developers don’t spend time figuring out the line of code that causes the vulnerability. There is also added value to active IAST solutions: they provide more accurate results and greatly reduce the number of false positives.
Unfortunately, dynamic analysis tools work in real-time on running applications so they don’t directly access the source code. However, they can access compilers and interpreters. In the case of languages such as PHP, an active IAST tool can actually pinpoint the exact line of code that causes the vulnerability. In the case of pre-compiled languages, it can pinpoint the problem in byte code, which speeds up finding it in the source code.
All in all, a DAST solution with an IAST agent cannot be expected to fully replace a dedicated source code scanner but it introduces some of its advantages and even improves dynamic testing efficiency itself.
IAST in the Software Development Lifecycle
One of the biggest advantages of IAST, independent on whether it is passive or active, is its usability in the development process. Businesses that build their own web applications need to know about potential problems as soon as possible to avoid costs and risks associated with discovering vulnerabilities in production. That is why currently one of the major trends in AppSec and software development is to replace DevOps with DevSecOps.
SAST tools by their nature are made to be used as part of continuous integration. DAST tools are often wrongly perceived as unfit for it, but contrary to such opinions, leading-edge DAST solutions are successfully used in CI/CD pipelines by many businesses. The introduction of IAST agents into the SDLC is often more complex but worth it.
Both passive IAST and active IAST are an equally good fit for the SDLC. However, passive IAST can be expected to report more false positives and will not cover third-party elements used in development. On the other hand, active IAST, which is much more thorough, might require more computing resources.
Which IAST Product to Choose?
The choice of an IAST tool for you must be based on your precise requirements. If you develop applications in PHP, Java or .NET, Acunetix with AcuSensor is a very good candidate because it is a DAST tool with an IAST agent. As such, it can greatly reduce your issue remediation time by providing you with accurate information.
*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/KY-MyeqcKjw/