IAST (interactive application security testing) analyzes code for security vulnerabilities while the app is run by an automated test, human tester, or any activity “interacting” with the application functionality. This technology reports vulnerabilities in real-time, which means it does not add any extra time to your CI/CD pipeline.
IAST works inside the application, which makes it different from both static analysis (SAST) and dynamic analysis (DAST). This type of testing also doesn’t test the entire application or codebase, but only whatever is exercised by the functional test.
IAST works best when deployed in a QA environment with automated functional tests running.
- Speed of results: IAST reports findings in real-time for the scope of the app being “exercised.”
- API testing: Many functional API tests are automated, making IAST a good fit for teams building in microservices, etc.
- Promotes re-use of existing test cases: IAST avoids the need to re-create scripts for security testing.
IAST is best used in conjunction with other testing technologies. Most organizations need both security assurance and developer-centric solutions. Security assurance solutions, including static analysis, dynamic analysis, and software composition analysis, provide security teams, executives, and application owners comprehensive assessments that support risk-based decision-making. Developer-centric solutions, like Veracode Greenlight, software composition analysis, and IAST, help developers fix and find security-related flaws early and often, helping them learn to code more securely and lessen the number of defects later in the development lifecycle.