Interactive Application Security Testing ( IAST)

This is a relatively new technique and a term coined by the “Gartner” team for conducting comprehensive web application security testing keeping the application running. “IAST” is a quite different kind of testing technique when compared with “DAST” and definitely “SAST”. This blog is aimed to give you a quick snapshot of this technique and the key aspects associated with it. 

“Interactive Application Security Testing”, IAST, as it is called is a code analysis technique used for checking on security vulnerabilities keeping in view security standards like “OWASP top 10”  by an automated means. It is called Interactive as it is developed keeping in view of checking on the interactions that an application is having during it’s runtime with the system, humans and other environments. 

“IAST” prominently differs in the operating mode from other “security scanners” by the fact that it is used to analyse the application keeping the application running. It is important to also note that this is deployed well in advance in the application development life cycle, so “shift left” approach wise, this is also an especially useful technique to use.
 
The other pointer which makes this “Web application Scanner” an interesting technique to work with is the fact that it is faster than compared to the other testing techniques available which makes this technique use in “Micro Services” quite an interesting proposal. Definitely not to miss the part that the test cases generated from this technique is re-usable, which reduces the burden of rewriting test cases repeated for the same scenarios. 

Keeping in view of the security threats that hover around the web application, which was also highlighted by the “Verizon Data Breach” investigation report which was published in 2017, it is prominent that a testing and analysis technique needed to be in place which can pre-emptively mitigate these security threats. The report mentioned that 29.5 % of the hacking happens from web application attacks. “IAST” is a good technique to address these issues of mitigating the web application security threats. In this context the check on “OWASP top 10” issues becomes very critical. 

Apart from the fact that “IAST” solutions are fast they are also very accurate, which we can translate to zero “false positive” alarms and it is armed to detect the exact vulnerable piece of code in it’s analysis which helps development teams to mitigate the issues with ease.

Coming back to the differentiating pointers of “IAST” with “DAST” tool, it is good to mention that “DAST” tools are not meant to find the exact vulnerable piece of code but just to alarm of a vulnerability. The reason for this is more the way “DAST” tools are designed not essentially a limitation of any specific tools. But the “IAST” capabililty” to pinpoint and mitigate the issue is something very helpful. 

The other aspect which need to be highlighted here would be the way this type of ‘application security testing  tools’ are integrated in the Continuous Integration (CI) and Continuous Delivery ( CD) funnel. The same type of integration is very difficult to achieve in case of any “DAST” tool. So it can be mentioned with some conformity that “IAST” tools will soon be a good replacement for the “DAST” tools. 

There are numerous vendors in the commercial space offering “IAST” tools now, however they differ in terms of the way their engine works and unfortunately not all fall into the right way of implementation. Just to elaborate on this point, “IAST” tools should be automated to such an extent that it can work almost without any human involvement, but that is something not seen in most of the other application security tools which are available commercially. 

Being a consultant, I have personally known to many of these solutions available in the commercial space but I see one of them stands out. This solution is called “NexIAST” and it is from a vendor “NeuraLegion”. The main thing which differs this tool from the other tools is the fact that it’s engine is powered by “Machine Learning” technology. This “Artificial Intelligence”, (AI) driven approach definitely gives this tool an edge. 

That’s all for now and I will keep on adding more facts on my following blogs on this technology. If you need any specific query to be addressed, please do feel free to reach out to me @ anirban@meteonic.com