What is IAST ( Interactive Application Security Testing)

IAST (Interactive Application Security Testing ) is a term for tools that combine the advantages of SAST (Static Application Security Testing and DAST ( Dynamic Application Security Testing ).

As a generic term, IAST tools can differ greatly in their approach to testing web application security. We will explain how these testing tools came about, how they detect security vulnerabilities, and what their advantages and disadvantages are.

Web Application Security Testing Tools

The tools that help secure your web applications can generally be divided into two classes:

SAST tools also known as source code scanners. Its features include:

• They work only on the application’s source code;
• Identify the exact cause of the problem;
• They may encounter problems in code that has already been created but not yet used in the application;
• Language dependent — only support selected languages ​​such as PHP, Java, etc.;
• Known for reporting many false positives;
• Unable to discover data or configuration related issues;
• They do not cover the security of third-party libraries or products.

And DAST tools, including automated vulnerability scanners and manual penetration testing tools that have the following characteristics:

• They only work on the compiled application;
• They are completely independent of the language used to create the application;
• Discover data and configuration issues;
• Report fewer false positives than SAST tools;
• Unable to pinpoint the exact source of the problem (ie the line of code).

An experienced web security company would traditionally have to employ these two types of tools separately.

SAST tools would be used for code review by companies that develop their own web applications. DAST tools would be used more frequently, by all companies that have web pages or applications (including those that develop their own applications).

To make life easier for companies, manufacturers of web application security tools have realized that static and dynamic testing techniques can be combined to create better tools that include the advantages of both. This is how IAST ( Interactive Application Security Testing ) was born.

Types of IAST tools

The biggest problem with IAST is that the idea came to the minds of SAST and DAST tool makers independently and this has resulted in products that use the same generic term but are actually quite different.

Below, you will learn how the IAST tools are divided between passive and active:

Passive IAST:

1. IAST functionality built into SAST tools gives you an advantage over pure SAST. It allows these scanners to confirm some of the false positives by compiling and testing the code. Therefore, the false positive rate is reduced.
2. However, static analysis tools with IAST functionality still retain one of their biggest drawbacks: lack of focus on third-party products. So, if you use a passive IAST solution, you can just trust that third parties deliver products that are completely secure, which unfortunately is often not the case.
3. IAST’s passive tools often search for vulnerabilities in pieces of code currently analyzed by the static part of the solution. This means that the entire application is not compiled and tested as a whole, which can cause certain vulnerabilities to be missed.
4. An IAST tool that was originally created as a SAST product remains a source code scanner. Unfortunately, it does not include all the features and benefits of DAST. It’s an improvement over a pure SAST tool, but it doesn’t eliminate the need for a web vulnerability scanner.

Active IAST:

1. DAST tools with IAST functionality focus on introducing an advantage of SAST: identifying the source of the problem so your developers don’t spend time trying to figure out the line of code that causes the vulnerability.
2. Unfortunately, dynamic analysis tools work in real-time when running applications, so they don’t directly access source code. However, they can access compilers and interpreters.
3. Languages ​​like PHP, an active IAST tool can identify the exact line of code causing the vulnerability. In the case of precompiled languages, it can identify the problem in the byte code, which speeds up its location in the source code.
4. In short, a DAST solution with an IAST agent cannot be expected to completely replace a dedicated source code scanner, but it does have some of its advantages and even improves the efficiency of dynamic tests.

IAST in the software development lifecycle:

One of the biggest advantages of IAST, regardless of being passive or active, is its usability in the development process.

Companies building their own web applications need to know about potential issues as soon as possible to avoid the costs and risks associated with discovering vulnerabilities in production. That’s why one of the main trends in software development today is to replace DevOps with DevSecOps.

SAST tools, by their nature, are meant to be used as part of continuous integration. DAST tools are often wrongly considered unsuitable for this, but contrary to such opinions, high-end DAST solutions are successfully used in CI/CD pipelines by many companies. Introducing IAST agents is often more complex, but worth it.

Passive IAST and Active IAST are equally suited for secure code and software development. However, passive IAST is expected to report more false positives and not cover third-party elements used in development. On the other hand, active IAST, which is much more complete, may require more computing resources.