IAST stands for Interactive Application Security Testing. The basic idea is that you have software that watches your application running, usually in a Java or .NET world that uses what’s called the profiling API, and it watches everything that happens in your application and tries to determine if that activity is somehow attacking the software. IAST can be pretty heavyweight, because watching everything can be expensive, but it can also do a good job detecting real vulnerabilities.
How is IAST different from DAST and SAST?
One of the reasons people like IAST over something like DAST or SAST is because when IAST detects something, because it has a lot of context of the running application, the odds of that being a real problem and not a false positive, are pretty high. IAST is going to find more real problems that you actually need to address, and a lot of that stems from having the context of it’s watching and seeing what’s happening in the process as it’s running.
How can you get started using IAST?
One of the great places for IAST is if you have a lot of legacy software, and legacy in this context means that you have either applied very little or no application security practices to that software. Going back and scanning that application with something like a SAST or a DAST, if you haven’t been using those all along, could give you a huge number of results, a good number of which are false positives. Alternatively, you can connect IAST to your currently running servers in your test environment and start collecting information, because most of what you’re going to find is going to be in something you should actually address. You’re going to have fewer false positives and more things to actually address and help improve the security of your software right away.
