As organizations modernize and innovate their technologies and flows, traditional Dynamic Application Security Testing (DAST) is being considered a big setback for one big reason: time. With DAST, scanning for vulnerabilities takes time, special skills and maintenance. Therefore, with the rapid pace of CI/CD, it’s becoming more of a challenge to implement DAST. While automation and fast turnarounds are mandatory for a successful application security program in modern development environments, DAST cannot align with these requirements.
Looking at the future of application security testing, which solution comes to mind? For many InfoSec experts, the answer is Interactive Application Security Testing (IAST) – considered to be the future of dynamic application security testing. So, let’s get down to the basics – what is IAST?
Active and Passive IAST
To start, it’s a technology traditionally split into two different methodologies: active IAST and passive IAST – though the words ‘active’ and ‘passive’ don’t precisely describe what these two methodologies do.
Both active and passive IAST rely on an agent instrumented within the application itself during the testing stages of the SDLC. However, the differences between the two methodologies are significant in terms of the technology itself, in addition to how well they fit into fast paced development landscapes.
Active IAST (Induced IAST)
The term ‘Induced IAST’ is more descriptive, in my opinion, as its detection capabilities are based on an external source which triggers the agent instrumented within the application. Induced IAST would require a DAST tool for activation. Simply put, Induced IAST completes just what DAST misses. For example, non-reflective attacks left unseen and undetected by DAST will be detected by an induced IAST due to that it handles the reflection and communicates with DAST whether the test-attack was successful or not. Therefore, for organizations working in fast paced environments, Induced IAST is not capable of delivering fast turnarounds or full automation, because it is very dependent on the DAST cycle to be triggered.
Passive IAST (Self Induced IAST)
Passive IAST also uses an agent instrumented in the tested application, however, the agent is independent and monitors and analyzes code passively while the application is in runtime, seeking vulnerabilities by scanning the running code. As passive IAST does not “attack” the application, this methodology will not affect other security testing activities running at the same time. Passive IAST works with your existing automation processes, meaning that any testing automation implemented is leveraged to detect security issues. This is also the methodology which goes hand in hand with modern DevOps and CI/CD development processes, as it works in parallel with the existing test automation and provides immediate results.
How IAST fits into the CI/CD environment
Passive IAST monitors running applications in the testing and/or development stages and has the ability to seamlessly integrate into existing automation testing processes. Passive IAST is actually agnostic to who or what is running the application quality tests, thanks to a monitoring agent integrated within the application under test. And once the application begins to run, the monitoring starts. The agent collects data as the standard testing framework runs, and return immediate security posture results.
This paves the way for two critical functions on what makes IAST the perfect fit for CI/CD:
- Zero scan time
Vulnerabilities are detected while performing functional tests. Once the functional tests are complete, the security scan is complete as well.
- Applications are detected automatically
When changes revolving around the application occur, no operation or continuous maintenance is required.
Advantages of IAST
- Code Coverage
IAST resides inside your testing application and analyzes the entire application, including libraries and frameworks. This means that the code coverage is extensive and beats the coverage DAST provides.
When it comes to scanning for vulnerabilities, IAST’s advantage comes from the fact that IAST is running and testing during the application’s runtime. This means that IAST can detect anything a DAST tool can to begin with, furthermore IAST proceeds to cover many of DAST’s weak spots. For example, IAST can find vulnerabilities such as sensitive data stored in the log which DAST can’t.
- Immediate Feedback
Today’s dynamic security testing tools run occasionally, meaning the lag time in between the error and the vulnerability may take days, weeks, or even months. IAST provides instant feedback for the developer – within seconds of coding, he/she will be able to see the code’s security state allowing the addition of only “clean code” – this ultimately saves time, money and makes secure development as easy as pie. IAST will also have a better look into the application’s code and is able to provide the developer with more accurate remediation instructions.
- Zero Configuration
One of the biggest advantages IAST has is that there’s no configuration. IAST is built with modern development environments in mind, and therefore, it has eliminated the configuration part of the solution. Meaning that if your application is running, IAST will be testing and analyzing, automatically and continuously. When DevOps and CI/CD teams build applications with an IAST agent inside from the very start, security is made substantially easy, as scanning for vulnerabilities within the app becomes continuous.
Continue reading: The ABCs of AppSec Testing: IAST & SAST