IAST (Interactive Application Security Testing ) is a term for tools that combine the advantages of SAST (Static Application Security Testing and DAST ( Dynamic Application Security Testing ).
As a generic term, IAST tools can differ greatly in their approach to testing web application security. We will explain how these testing tools came about, how they detect security vulnerabilities, and what their advantages and disadvantages are.
The tools that help secure your web applications can generally be divided into two classes:
SAST tools also known as source code scanners. Its features include:
And DAST tools, including automated vulnerability scanners and manual penetration testing tools that have the following characteristics:
An experienced web security company would traditionally have to employ these two types of tools separately.
SAST tools would be used for code review by companies that develop their own web applications. DAST tools would be used more frequently, by all companies that have web pages or applications (including those that develop their own applications).
To make life easier for companies, manufacturers of web application security tools have realized that static and dynamic testing techniques can be combined to create better tools that include the advantages of both. This is how IAST ( Interactive Application Security Testing ) was born.
The biggest problem with IAST is that the idea came to the minds of SAST and DAST tool makers independently and this has resulted in products that use the same generic term but are actually quite different.
Below, you will learn how the IAST tools are divided between passive and active:
One of the biggest advantages of IAST, regardless of being passive or active, is its usability in the development process.
Companies building their own web applications need to know about potential issues as soon as possible to avoid the costs and risks associated with discovering vulnerabilities in production. That’s why one of the main trends in software development today is to replace DevOps with DevSecOps.
SAST tools, by their nature, are meant to be used as part of continuous integration. DAST tools are often wrongly considered unsuitable for this, but contrary to such opinions, high-end DAST solutions are successfully used in CI/CD pipelines by many companies. Introducing IAST agents is often more complex, but worth it.
Passive IAST and Active IAST are equally suited for secure code and software development. However, passive IAST is expected to report more false positives and not cover third-party elements used in development. On the other hand, active IAST, which is much more complete, may require more computing resources.