As organizations modernize and innovate their technologies and flows, traditional Dynamic Application Security Testing (DAST) is being considered a big setback for one big reason: time. With DAST, scanning for vulnerabilities takes time, special skills and maintenance. Therefore, with the rapid pace of CI/CD, it’s becoming more of a challenge to implement DAST. While automation and fast turnarounds are mandatory for a successful application security program in modern development environments, DAST cannot align with these requirements.
Looking at the future of application security testing, which solution comes to mind? For many InfoSec experts, the answer is Interactive Application Security Testing (IAST) – considered to be the future of dynamic application security testing. So, let’s get down to the basics – what is IAST?
Active and Passive IAST
To start, it’s a technology traditionally split into two different methodologies: active IAST and passive IAST – though the words ‘active’ and ‘passive’ don’t precisely describe what these two methodologies do.
Both active and passive IAST rely on an agent instrumented within the application itself during the testing stages of the SDLC. However, the differences between the two methodologies are significant in terms of the technology itself, in addition to how well they fit into fast paced development landscapes.
Active IAST (Induced IAST)
The term ‘Induced IAST’ is more descriptive, in my opinion, as its detection capabilities are based on an external source which triggers the agent instrumented within the application. Induced IAST would require a DAST tool for activation. Simply put, Induced IAST completes just what DAST misses. For example, non-reflective attacks left unseen and undetected by DAST will be detected by an induced IAST due to that it handles the reflection and communicates with DAST whether the test-attack was successful or not. Therefore, for organizations working in fast paced environments, Induced IAST is not capable of delivering fast turnarounds or full automation, because it is very dependent on the DAST cycle to be triggered.
Passive IAST (Self Induced IAST)
Passive IAST also uses an agent instrumented in the tested application, however, the agent is independent and monitors and analyzes code passively while the application is in runtime, seeking vulnerabilities by scanning the running code. As passive IAST does not “attack” the application, this methodology will not affect other security testing activities running at the same time. Passive IAST works with your existing automation processes, meaning that any testing automation implemented is leveraged to detect security issues. This is also the methodology which goes hand in hand with modern DevOps and CI/CD development processes, as it works in parallel with the existing test automation and provides immediate results.
How IAST fits into the CI/CD environment
Passive IAST monitors running applications in the testing and/or development stages and has the ability to seamlessly integrate into existing automation testing processes. Passive IAST is actually agnostic to who or what is running the application quality tests, thanks to a monitoring agent integrated within the application under test. And once the application begins to run, the monitoring starts. The agent collects data as the standard testing framework runs, and return immediate security posture results.
This paves the way for two critical functions on what makes IAST the perfect fit for CI/CD:
Advantages of IAST
Continue reading: The ABCs of AppSec Testing: IAST & SAST
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.