As applications are being hit harder than ever with increasingly sophisticated cyberattacks, organizations are turning to application security testing solutions to keep their applications safe. And as organizations take a peek into the AppSec testing market, they are sure to see many different options. In this blog post we will take a look at two solutions: IAST and DAST.
Also known as ‘black-box testing’, Dynamic Application Security Testing (DAST) tests for vulnerabilities on a running application. Meaning that DAST essentially injects input into the application’s external interface and then monitors the application’s behavior.
While this method can be seen as great for locating multiple vulnerabilities, there are many restrictions. For example, the application must be past the build stage in order for results to be received. This alone can cause huge delays when dealing with the numerous and often very complex vulnerabilities in larger projects with multiple builds per day.
With DAST, a longer turnaround cycle is required and automation often becomes challenging with each new configuration. Additionally, when it comes to CI/CD flows, DAST falls short yet again due to certain characteristics – ones which allow it to start working only once the build is complete. In CI environments, code is often committed on a frequent basis where automation is key in all development stages.
Interactive Application Security Testing (IAST) is part of the dynamic testing world, and is based on the idea of ‘application under test’. IAST monitors running applications in testing/staging environments and integrates into existing testing platforms, be it functional, UI, network, manual or any other non-functional testing (load and stress testing).
Additionally, IAST is made to work hand in hand with existing automation processes, so that any testing automation in the application is automatically used to detect security flaws. Therefore, this is the chosen method of those working with DevOps and CI/CD processes, in addition to that IAST provides immediate results.
To sum things up, IAST and DAST have one pretty significant detail in common: they both monitor and test a running application. However, IAST may be seen as a new, up-to-date version of DAST and is predicted to replace DAST as an automated testing solution due to that, when properly conveyed, IAST has the power to crush the majority of DAST’s disadvantages and will allow those rapid paced development houses to maintain full security automation throughout the SDLC.
Furthermore, IAST, unlike DAST, extends the application security coverage testing throughout the CI/CD pipeline, making this the ideal solution for DevOps and CI environments, without needing DAST as an ‘enabler’.
Furthermore, IAST is ideal for DevOps and CI/CD organizations due to the following reasons:
- Zero scan time – vulnerabilities are detected while performing functional testing meaning that once functional testing is over, the security scan is also completed
- Negligible operation overhead – applications are detected automatically
- IAST is agnostic to application business logic changes, meaning no operation or on-going maintenance is required when such changes occur
Continue reading with An Introduction to IAST