I've been sharing ideas on how to build security into your development process. An important step in the development process is testing.
There are many techniques used in security testing. It's useful to understand the different approaches, and their advantages and disadvantages. So far we've looked at Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). This week we look at IAST. (If you missed any of the previous posts, I've included all the links at the bottom.)
What is Interactive Application Security Testing?
Interactive Application Security Testing (IAST) is a newer approach to security testing. It was developed to overcome some of the limitations of SAST and DAST, and combines aspects of both.
IAST uses software instrumentation to assess how an application performs. The IAST tool places an agent (or sensor) inside the application to observe the operation. The agent analyses HTTP requests and responses, calls to the databases, data flows, and configuration information. It can detect vulnerabilities in running code, whether it is custom code, third-party libraries, or even code generated on the fly. The tool then points out the location of vulnerabilities for developers.
The agent can run during automated testing, manual testing, or a mix of the two.
IAST versus SAST and DAST
SAST analyses source code from the inside out, when the application is not running. Like SAST, IAST also looks at the code to map the vulnerability back to source code. It doesn't test the entire codebase, only the functionality at those points defined by the tester. This makes it faster to execute than SAST, but not as comprehensive.
DAST looks for vulnerabilities by simulating attacks while the application runs in a test environment. Like DAST, IAST testing occurs in real time while the application is running.
Advantages of IAST
The earlier you identify a problem, the faster and cheaper it is to fix. IAST can happen quite early in the project lifecycle, which is always an advantage.
Accurate results
IAST has a much lower false-positive rate than SAST. This reduces the noise and alert fatigue associated with testing.
Accurate identification of the cause
IAST has access to application code, memory and stack trace information. This means the IAST tool can accurately identify the code source of a vulnerability. This makes it faster for developers to fix the problem.
Quick feedback
IAST reports findings in real-time. This makes it easier for testing to keep up with the pace of development.
Easy integration
IAST integrates into CI/CD (continuous integration and deployment) processes. It also integrates with standard build, test, and QA tools without extensive configuration.
Disadvantages of IAST
IAST is a newer approach, which has not yet been widely adopted. OWASP only lists one IAST tool (Contract Community Edition) that is currently free. So some issues may not yet have been discovered.
Reduced performance
IAST tools can slow down the operation of the application. The agents serve as added instrumentation, so the code will not perform as well.
Limited language coverage
IAST is language-specific and lacks coverage across certain languages. It only supports modern technology frameworks.
Needs a mature test environment
IAST requires a modern software development environment and architecture. It also works best in a QA environment with automated functional tests running.
Conclusion
Like SAST and DAST, IAST is another tool to use in your development process. (And another acronym to remember!) It is best used in combination with other testing technologies.
Have you had any experience using IAST? Please share your views and comments.
If you missed any of the previous articles, here are the links: