8. Interactive Application Security Testing (IAST)
Runtime
App Server
Frameworks
Libraries
Custom Code
IAST Agent
Application Under Test
Testing
Framework
IAST server
IAST Dashboard
1
Monitoring of
Application Under
Test
2
Event-Collection
during Testing
3
Security-Queries
Execution
4
Pushing
Vulnerabilities
to the Dashboard
9. Identify OS libraries metadata,
vulnerabilities, licenses
3
Send list of potential OS
dependencies
2
Generate report
4
Scan project sources and run
dependency resolution
1
Customer's libraries
(source code + binary files)
Customer’s open source
libraries
Repository of Open Source
libraries
Cloud
Service
Software Composition Anaysis (SCA aka OSA)
11. AppSec Technique Advantages Disadvantages
SAST
• Can be used after 1st line of code is written – max
Shift Left
• Makes the vulnerability fixing easy by showing the
problem in the source code
• Produces fast results even for large applications
• Can be easily integrated into the CI process
• Cannot see all flows, e.g. because of user data
dependencies
• Requires continuous development for new
language/framework support
• May require fine tuning to accommodate for custom
sanitisers and services
DAST
• Provides visual confirmation for vulnerabilities
• Doesn’t require access to source code to produce
results
• Requires a functional application
• Can only detect reflected vulnerabilities
• Takes a lot of time to generate and execute all inputs
• Is difficult to integration into the CI process
• Shows there is a problem, doesn’t tell where it is in
the code
IAST
• Provides immediate feedback when suspected
vulnerabilities are found
• Doesn’t require access to source code to produce
results
• Can be integrated into the CI process
• Requires a functional application
• Requires existing (preferably automated and
comprehensive) functional testing suite
• Highly dependent on the application technology