How does IAST fit into DevSecOps?
IAST, a new generation of application security testing that bridges the gaps between SAST, DAST, and pen testing, seems to have been made for DevSecOps.
Application security testing has become more prevalent, leading to the need for more effective tools in the software development life cycle (SDLC). Initially, this may bring to mind SAST, DAST, and penetration testing (pen testing), given their history of working well in legacy software development environments. However, with the emergence of new technologies and practices such as containers, microservices, and DevOps, these traditional tools struggle to keep up with the fast pace of modern application delivery.
Consequently, interactive application security testing (IAST) has emerged to address security testing challenges, especially those found in DevSecOps. IAST is a new generation of application security testing that bridges the gaps between SAST, DAST, and pen testing. You could even say that IAST was made for DevSecOps and the closely allied SDLC concepts of agile and CI/CD (continuous integration/continuous delivery).
Benefits of IAST in DevSecOps
Many organizations already recognize how well IAST works in rapid development cycles, but there is plenty of room for it to grow. Recent survey results show that 25% of cyber security professionals don’t know whether their organizations are using IAST. However, IAST adoption is expected to grow as DevSecOps organizations learn more about the many benefits of using IAST, including these:
Integration and automation
IAST combines the best of DAST (dynamic application security testing), which tests running applications for real vulnerabilities, and SAST (static application security testing), which tests code in a nonrunning state and is easily integrated and automated at several points in the SDLC. And IAST doesn’t need additional scans, as it continuously monitors applications and detects vulnerabilities in real time in the background while functional testing occurs.
In fact, IAST creates virtually no delay during testing in CI/CD workflows, and an IAST solution integrated with software composition analysis (SCA) can find third-party software dependencies and detect known vulnerabilities and license conflicts in open source.
One of the most valuable benefits that IAST brings to DevSecOps is that it can begin as early as build integration, when developers perform functional testing via web pages or APIs. IAST agents monitor an application during testing and QA stages, reporting on any vulnerabilities it discovers, and can also find configuration issues in running programs.
Overall, with IAST automatically detecting security vulnerabilities in the background, your development teams can concentrate on carrying out their usual testing and quality assurance (QA) work.
One advantage of IAST over other types of security testing is its ability to validate and report only new vulnerabilities in an updated codebase. Testing on such an incremental basis, IAST enables developers to catch and correct issues earlier in the SDLC, when they are the most familiar with the code and it’s easier and less costly to fix vulnerabilities from a resources and security risk perspective.
Vulnerability verification and sensitive-data tracking
Another edge that IAST has over some other forms of application security testing in DevSecOps is its ability to pinpoint the specific lines of code where it has identified an application vulnerability. Thus, developers can save many hours trying to track down coding bugs and errors. The best IAST solutions can also automatically verify whether the vulnerabilities they find are exploitable, so developers are less likely to investigate a bug only to come to the irritating conclusion that it is nothing more than a false positive.
Another distinctive capability of some IAST solutions is the ability to track and detect sensitive-data leakages that traditional application testing tools cannot.
IAST and the modern application security program
IAST is only one element of a modern application security program. The adoption of DevSecOps and the trend toward shifting left have empowered developers to find and fix coding errors and application vulnerabilities ever earlier in the SDLC. With waterfall software development and monolithic applications quickly becoming things of the past, security tools focused on network perimeter defense bolted on at the end of the development cycle have also become passé. You need a combination of modern solutions, such as IAST, and traditional AppSec tools, such as SAST, DAST, SCA, pen testing, and managed services, to create secure software in today’s complex development environments.
To learn more about the advantages of integrating IAST and other solutions into a modern application security program, read the new 451 Research report Designing a Modern Application Security Program.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Derek Handova. Read the original post at: https://www.synopsys.com/blogs/software-security/iast-devsecops-appsec-program/