Would the Real IAST Please Stand Up?
Opinion: The term Interactive Application Security Testing (IAST) is probably the vaguest in the world of application security testing. Any tool that extends beyond the traditional DAST or SAST model may use it – and many do. However, I feel that only AcuSensor truly deserves to be called interactive.
We all love putting things in pigeonholes. Any new technology that emerges has a fancy name associated with it, usually with an easy-to-remember acronym as well. And things were no different when the term IAST was first introduced by Gartner. Unfortunately, the proposed definition was vague enough to apply to a lot of very different tools using very different approaches.
When Acunetix introduced AcuSensor in 2008, it was unlike anything else in the world. There was no other tool that would use this kind of architecture – a truly interactive one. Why interactive? Well, in the case of AcuSensor, the web application scanner (DAST) interactively talks to the sensors placed next to the source code or byte code. That is why we believed that the term Interactive Application Security Testing fully applied and we keep using it to this day.
However, AcuSensor works differently than almost all other IAST solutions. Sometimes I wonder if we should have used a different term instead? IDAST (Interactive Dynamic Application Security Testing)? AIAST (Advanced Interactive Application Security Testing)? IIAST (Intelligent Interactive Application Security Testing)?
The Funny Thing About Passive IAST
To understand the difference between Acunetix IAST (let’s call it active IAST) and almost every other IAST product (let’s call them passive IAST), you must first understand how they all work.
A typical IAST solution is, basically, a bunch of sensors stuck in the source code or byte code of an application. To test your application, you must either upload the sensors as, for example, WAR files or recompile the application with special source code fragments included. This is exactly the same in the case of AcuSensor but you never have to recompile anything. You just have to upload the sensors and run them on the server.
The sensors report what is going on in the application with a high level of detail. They show the state of memory, which functions are being called, how data is being processed, basically, anything that is needed according to the creators of the IAST application. And this information lets the tool see the exact effect of the payloads on the application, which, in turn, gives 100% proof that an attack can occur and also pinpoints the source of the vulnerability down to the line of code!
However, most IAST tools stop there. They are just passive sensors. This means that they only report when a fragment of the application is executed! As a result, the only way for you to find all vulnerabilities using a typical IAST tool is either to hire a human tester to click through every part of the application or get a crawler of some kind to do it for you. And just reaching every part of the application is not enough, you need to see what effect payloads have on the application, too.
So the funny thing about passive IAST is that to verify the entire application, you need to pair it with a DAST!
Why the Acunetix Approach to IAST Is So Awesome
The reason we feel that Acunetix truly deserves the term interactive is that there is actual interaction between parts of the application. A typical IAST needs to be triggered by a human tester, crawler, test suites, or a DAST tool. However, it does not interact with whatever triggered it. It reports its findings just to the IAST tool console.
What is awesome about AcuSensor is that there is a true interaction between the DAST part and the IAST part of the application. The IAST sensors report their findings to the DAST that, at the same time, attempts to attack the application from the outside. And it is the correlation between the two sources of data that gives a truly full picture of the vulnerability.
This is why I’m convinced that AcuSensor deserves the IAST name much more than solutions that simply rely on passive sensors placed within the application. It also deserves the name more than applications that try to follow the idea introduced by AcuSensor but don’t even come close.
What do you think?
Get the latest content on web security
in your inbox each week.
*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/w8m2-xhYmFg/