https://snyk.io/wp-content/uploads/fundamentals-temp-image.png

Interactive Application Security Testing (IAST)

When building a new kind of service or application, it’s critical to keep security in mind. After all, security breaches can lead to incalculable costs for your business in the blink of an eye. There are many different ways to check the safety of your applications. And while no method can guarantee security 100%, you should always make the effort to keep your apps secure and strive to improve your application security.

What Is Interactive Application Security Testing?

Interactive application security testing (IAST) is an application security testing method that tests your application for vulnerabilities in execution, while the app is actually being used (either by a real user or an automated test runner). Some IAST tools even come with IDE integrations, which allow you to run the security analysis while developing the application.

The core of an IAST tool is sensor modules, software libraries included in the application code. These sensor modules keep track of application behavior while the interactive tests are running. If a vulnerability is detected, an alert will be sent.

Examples of such vulnerabilities could be hardcoding API keys in cleartext, not sanitizing your users inputs, or using connections without SSL encryption.

How Does IAST Differ from Other Security Testing Methods?

In order to help you determine whether a particular security testing method is a good fit for your application testing environment, it’s important to consider what it has to offer as well as its limitations. Let’s examine the differences between each of these testing methods.

Static application security testing (SAST) focuses on code. It works early in the CI pipeline and scans source code, bytecode, or binary code in order to identify problematic coding patterns that go against best practices. SAST is programming-language dependent.

Dynamic application security testing (DAST) is a black-box testing method that scans applications in runtime. It is applied later in the CI pipeline. DAST is a good method for preventing regressions and doesn’t depend on a specific programming language.

IAST is similar to DAST in that it focuses on application behavior in runtime. But IAST analysis is rather based on a combination of black-box testing, scanning, and analysis of internal application flows. The benefit of IAST is its ability to link DAST-like findings to source code like SAST. The downside of this approach is that it makes IAST programming-language dependent and can only be performed later in the CI pipeline.

Software composition analysis (SCA) focuses on third-party code dependencies that are used in the application. SCA is very effective in applications that use many open-source libraries. This method is also programming language-dependent.

IAST Benefits and Drawbacks

IAST is essentially a combination of SAST and DAST. The IAST method analyzes only the code executed in your tests, like DAST, but it also pinpoints the exact place in the code where the vulnerability was found, as with SAST.

IAST differs from DAST and SAST, but why use it? Let’s look at the key benefits of IAST:

  • Scans code in production: The greatest benefit of IAST is its ability to scan code that is actually used in production. SAST tools tend to overburden developers with false positives. Sometimes a line of code can indicate a security problem that was addressed in another part of the code base. IAST focuses on the issues that really matter.
  • Scans code in development: While scanning production code is a huge win, IAST can also be used during development. Some IAST tools come with IDE integration to give engineers quick feedback on the features they’re in the process of implementing. This shifts the security checks to the left in the development life cycle, when they are cheaper to fix.
  • Quick remediation: IAST links issues with code locations, which is where IAST differs from DAST. IAST allows you to click through your application to find problems and provides recommendations for quick remediation. This isn’t without any risk. Just because you’ve never tested the code, doesn’t mean it won’t have any security vulnerabilities in the production environment. On the other hand, developers’ time is limited and they must invest it wisely.

IAST also has its drawbacks:

  • Programming-language dependent: The fact that IAST is programming-language dependent is a major drawback. While some tools don’t require you change your code to include their sensor modules, they are still bound to specific technologies. If you happen to use a less popular technology because that perfectly suits your use case, IAST might not be the right choice for you.
  • Time intensive: The IAST testing method requires you to build and execute your application (which isn’t the case with a SAST) and therefore requires significant time investment in the long run. This might not be a problem for issues that are caught in in development when using IDE plugins, because of the quick feedback. But when you want to build big test suites that have to run on all production releases, things can slow down.
  • Doesn’t have 100% code coverage: The drawback of scanning only code that is actually executed is that IAST doesn’t scan all the code. While it removes many false positives, it also ignores the code your quality assurance forgot to run in your test. Just because you didn’t think about it, doesn’t mean the code won’t be executed in production.

Know Your Requirements Before Choosing IAST

As with every application security testing method, it is important to analyze your technology stack and processes before choosing one. Depending on your programming language of choice, IAST might not even be an option for you. In such cases, you’d have to fall back on DAST, which only checks the inputs and outputs of your application and doesn’t scan the code.

While IAST may provide critical insights into your application’s security that cannot be derived using SAST approaches, IAST can also significantly slow down your CI pipeline. SAST-based solutions might therefore be a better option for your application on a day-to-day basis.

Ensure efficient and actionable developer efforts. The Snyk Code, a developer-first SAST solution, is powered by AI and relys on Snyk’s very own hand-curated vulnerability database, and reference commits as its training set to give you the best security tips while coding.

Find and fix vulnerabilities in your application code

Secure code with a developer-friendly SAST experience

April 20, 2021
| By Liran Tal