Application Security Testing - Part 2
To continue from Part 1, let's now discuss another type of testing called Interactive (or Instrumented) Application Security Testing (IAST) which has positioned itself to be the best of both worlds (SAST and DAST). DAST will be discussed in a future post. For example, IAST claims to eliminate the volume of reported false positive from SAST and overcomes the need to understand the business application to prep a DAST solution - it's a plug and play solution (or is it).
IAST solutions typically requires "an agent" to be factored into the start-up of your application. As you exercise your application the IAST "agent" will determine if the event being assessed is of security relevance and report accordingly.
The term IAST has been coined and used for almost a decade, but the maturity of this type of solution is still in its infancy compared to the SAST and DAST type solutions.
The more obvious use case for IAST is to execute it during the integration/functional testing of the business application. However, similar to SAST, IAST solutions can be integrated with your IDE to support the "shift left" testing mindset.
At the time of writing (April 2019) there are not many open source IAST tools. However, one of the commercial vendor - Contrast Security have a community edition of their tool.
The cost of this type of solution is many times more than other tools, so your mileage may vary depending of how many licence units your are looking to purchase.
These types of testing tools are really aimed to be used by the delivery/development teams versus your traditional security team. However for those hardcore security folks, you may be interested in the Burp Infiltrator.
IAST is an interesting testing approach and is definitely worth keeping an eye on the evolution of this technology.