IAST (Interactive Application Security Testing) is the latest buzzword in security testing for applications during development. IAST differs from SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing), in that IAST uses an agent directly on the application server to observe the application as it’s running, which has visibility to report additional detail on the vulnerabilities that are discovered. SAST and DAST came first in application testing and have limitations in terms of visibility and ability to detect vulnerabilities in the application being tested.
IAST is getting new found attention recently due to the recent finalization of the National Institute of Standard and Technology (NIST)’s SP800-53 Revision 5 update, that includes the requirement to add IAST to the policy and security frameworks being used by federal government. NIST is recognizing the need for better security for applications, and that starts with finding more vulnerabilities during security testing in development. By requiring IAST, organizations, will get better results from their security testing with the increased visibility provided by IAST solutions.
For organizations that want an easy way to get IAST results using their existing DAST testing tools, they can now do this with no changes to the testing methodology or testing tools. By adding the K2 Security Platform agent to the application server under test, K2 can provide IAST results by giving the visibility to the tested applications that DAST testing tools are missing. By pairing K2 with an existing DAST tool, K2 can corroborate the DAST tool’s results, while at the same time providing additional details, including the filename containing the vulnerability and the line number within the file that contains the vulnerable code. In addition K2 can also find and report on additional vulnerabilities with the added visibility into the application that the DAST tool may miss.
By adding an agent on the application server, organizations can get IAST results from their existing DAST tools, without having to learn and implement an IAST tool. K2 Cyber Security is a great addition for adding visibility into the threats discovered by penetration and security testing tools in pre-production and can also find additional vulnerabilities during testing that testing tools may have missed. K2 can pinpoint the exact location of the discovered vulnerability in the code. When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.
Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution and get IAST results from your DAST testing today.
*** This is a Security Bloggers Network syndicated blog from K2io authored by Timothy Chiu, VP of Marketing. Read the original post at: https://www.k2io.com/getting-iast-results-from-dast-testing/