Introducing True Interactive AST
Interactive application security testing (IAST) is a catch-all term applied to many different security testing approaches that bridge the gap between source code analysis (SAST) and dynamic testing (DAST). In general, all IAST tools attach to a running application to monitor code execution and detect insecure operations and behaviors. The fundamental difference lies in the way they are controlled – and this is where Invicti’s True IAST approach stands out.
Putting the “I” into IAST: Invicti Shark
Most runtime security testing tools that are labeled as IAST need to be separately launched from a test suite or vulnerability scanner, with little or no interaction between the initiator and the IAST component during testing. Invicti introduces truly interactive security testing by integrating an additional IAST module, called Invicti Shark, into its industry-leading DAST solution. The core scanning engine continuously communicates with the interactive testing component to guide its execution and obtain deeper insights into how the application reacts to test payloads.
When enabled, the Shark module attaches to the application runtime without any need for code access or modification. By monitoring code execution during dynamic security testing, Shark provides the core scanning engine with runtime information that is inaccessible with DAST alone – and all with only a minimum performance overhead. True IAST with Invicti Shark is currently available for PHP, Java, and .NET applications, with more technologies in development.
The True IAST Difference
Invicti’s IAST module works hand in hand with the scanning engine, so it extends vulnerability testing results obtained using Proof-Based Scanning™ by isolating the source of the issue, often down to the specific line number. It also provides additional confirmation and attack payloads for detected vulnerabilities and returns inside information about local assets and the security of the local application environment. All this intelligence is automatically incorporated into scan results to provide security engineers and developers with detailed and actionable vulnerability reports for a wider range of issues.
The Benefits of True IAST: Announcing the Invicti White Paper
Invicti Shark is easy to deploy and unlocks a host of benefits across the organization, starting with improved application security and more scalable web application security workflows. The Invicti white paper Changing the DAST Game with Invicti IAST provides more insight into the advantages of the True IAST approach, including faster issue resolution, better working relations between teams, a shorter time to value, and measurable cost savings. The introduction of Invicti’s IAST into the enterprise security model helps organizations build a scalable application security program through efficient and confident automation.
Read the full white paper: Changing the DAST Game with Invicti IAST