Interactive Application Security Testing (IAST) is a term for tools that combine the advantages of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). It is a generic cybersecurity term coined by Gartner, so IAST tools may differ a lot in their approach to testing web application security. Let us explain, how these testing tools came to be, how they detect security vulnerabilities, and what are their advantages and disadvantages.

Web Application Security Testing Tools

Web application security testing tools, which are the tools that help you find security risks in your web applications or APIs can be, in general, divided into two primary classes:

SAST tools (Static Application Security Testing) also known as source code scanners or white-box testing tools:

  • Work only on the source code of the application
  • Pinpoint the exact cause of the problem
  • Can find problems in code that is already created but not yet used in the application
  • Are language-dependent: support only selected languages like PHP, Java, etc.
  • Known to report a lot of false positives
  • Cannot discover problems related to data or configuration
  • Do not cover the security of third-party libraries or products, for example, open-source components

DAST tools (Dynamic Application Security Testing), also known as black-box testing tools, including automated vulnerability scanners and manual penetration testing tools:

  • Work only on the compiled application (runtime)
  • Are completely independent of the language used to create the application
  • Discover problems related to data and configuration
  • Much lower false positive rates than SAST tools
  • Cannot pinpoint the exact source of the problem (i.e. the line of code)

A web-security-savvy business would traditionally have to employ these two types of tools separately. SAST tools would be used at the earlier stages (in the development environment or workflows) for automatic code review by businesses that develop their own web applications. DAST tools would be used more commonly: by all businesses that have web pages or web applications (including those that develop their own), often by dedicated security teams.

To make it easier for businesses, web application security tool manufacturers realized that static and dynamic testing techniques can be merged together to create better tools that would include the advantages of both. This is how IAST (Interactive Application Security Testing) was born.

The biggest problem with IAST is that the idea came to the minds of manufacturers of SAST and DAST tools independently and this resulted in products that use the same generic term but are actually quite different. IAST solutions available on the market are not built from scratch: they extend either traditional source code scanners or traditional web vulnerability scanners. As such, the customer must be careful about choosing a product that prioritizes their needs.

SAST/IAST Tools (Passive IAST)

Passive IAST works in ways very similar to RASP tools (run-time application security protection). It analyzes the behavior of the application by using sensors compiled into the code.

Such tools retain one of their biggest disadvantages of their static analysis ancestors: lack of focus on third-party products. Therefore, if you use a passive IAST solution, you must either use yet another tool (software composition analysis – SCA) or simply trust that third parties deliver fully secure products, which is unfortunately often not the case.

Another disadvantage of passive IAST tools is the fact that they only find vulnerabilities in functions that are activated by unit tests or third-party crawlers. This means that there is no guarantee that the entire application is tested, which may cause a lot of vulnerabilities to be missed.

An IAST tool developed as an extension of a SAST product does not perform any attacks or active crawling – it remains a passive scanner. It is definitely an improvement over a pure SAST tool but does not eliminate the need for a web vulnerability scanner.

DAST/IAST Tools (Active IAST)

DAST tools with IAST functionality focus on introducing one advantage of SAST: pinpointing the source of the problem so that your developers don’t spend time figuring out the line of code that causes the vulnerability. There is also added value to active IAST solutions: they provide more accurate results and greatly reduce the number of false positives.

Unfortunately, dynamic analysis tools work in real-time on running applications so they don’t directly access the source code. However, they can access compilers and interpreters. In the case of languages such as PHP, an active IAST tool can actually pinpoint the exact line of code that causes the vulnerability. In the case of pre-compiled languages, it can pinpoint the problem in byte code, which speeds up finding it in the application code.

All in all, a DAST solution with an IAST agent cannot be expected to fully replace a dedicated source code scanner but it introduces some of its advantages and even improves dynamic testing efficiency itself.

IAST in the Software Development Lifecycle

One of the biggest IAST advantages, independent of whether it is passive or active, is its usability in development processes, especially those based on agile methodologies. Businesses that build their own web applications need to know about potential problems as soon as possible to avoid costs and risks associated with discovering vulnerabilities in production. That is why currently one of the major trends in AppSec and software development is to replace DevOps with DevSecOps.

SAST tools by their nature are made to be used as part of continuous integration. DAST tools are often wrongly perceived as unfit for automation, but contrary to such opinions, leading-edge DAST solutions are successfully used in CI/CD pipelines by many businesses. The introduction of IAST agents into the SDLC is often more complex but worth it.

Both passive IAST and active IAST are an equally good fit for the SDLC. However, passive IAST security testing can be expected to report more false positives, is heavily dependent on the skills of the QA/tester teams (needs unit tests to perform the function of a crawler), and will not cover third-party elements used in development. On the other hand, active IAST, which is much more thorough, might require more computing resources.

Which IAST Product to Choose?

The choice of an IAST tool for you must be based on your precise requirements. If you develop applications in PHP, Java, or .NET, Acunetix with AcuSensor is a very good candidate because it is a DAST tool with an IAST agent. As such, it can greatly reduce your issue remediation time by providing you with accurate information.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.