IAST (interactive application security testing) is a form of application security testing that stems from a combination of dynamic application security testing (DAST) and runtime application self-protection (RASP) technologies. The IAST approach analyzes application behavior in the testing phase, using the RASP runtime agent and DAST as an attack inducer. The agent, which is instrumented into the application runtime engine (e.g., into JVM), has insight into the application’s logic flow, data flow and configuration, monitors the test attacks initiated by the DAST attack inducer, and then reports on the attacks that resulted (or might result) in an application’s exploit. IAST reports help developers prioritize the vulnerability findings from dynamic scans, so that they can more effectively reduce risk while keeping up with production schedules.
It is possible to use IAST without a DAST inducer, using QA testing as an inducer instead. Yet in this case, the security testing is less comprehensive, because QA, unlike DAST, lacks the breadth of attacks. Therefore, the preferred inducer for IAST is DAST technology.
Advantages of the IAST approach, in which a DAST inducer is run against a web application in QA using RASP, include the following:
- RASP makes DAST results more actionable by providing code-level visibility into the data path taken by the application.
- The RASP agent lowers DAST false positives by providing evidence of the attack through the application.
- The RASP agent provides a detailed stack of programming instructions that resulted in an application exploit by DAST attack. Thus, it enables developers to quickly and accurately apply remediation to the application code, fixing detected vulnerabilities.
- DAST simulates attacks against applications, which validates RASP’s detection and protection capabilities.
Challenges of this approach include the following:
- Requires DAST to crawl/audit the application, which can be time-consuming without proper configuration
- Run later in the process, after the programming phases, usually during the QA/test phase, as IAST requires runtime execution of the application’s functionality
Effective application security testing requires multiple approaches
IAST is best used in conjunction with other testing technologies. An effective application security solution will not rely on a single testing technology, but rather combine the strengths of multiple testing technologies along the entire application lifecycle – from development to testing and production.
For instance, in the development phase, static application security testing (SAST) analyzes code and reports on any vulnerabilities in the code that should be remediated or mitigated before moving it further through the software development lifecycle (finding vulnerabilities early in the cycle greatly reduces remediation cost). In the testing phase, IAST analyzes application behavior, using DAST as an attack inducer, to accurately determine whether the application will behave in production in a way that will expose it to risk. Finally, RASP protects applications against attacks at the production phase. In real time, RASP analyzes attacks, and continuously responds to any recognized attack by creating a real-time alert blocking the attack.
Together, these technologies form an integrated strategy for vulnerability detection and protection.
As the IT industry seeks ways to secure DevOps, these technologies offer a comprehensive solution: SAST and IAST (the latter – with DAST as an inducer) address the ‘Dev” part of DevOps (programming and testing phases) and RASP address the “Ops” (the operation part of DevOps).