Changing the DAST game with Invicti IAST

Invicti has added an interactive testing component to its dynamic application security testing engine to create a game-changing DAST+IAST combination. This article presents the Invicti approach to IAST and announces a white paper highlighting its benefits.

Introducing True Interactive AST

Interactive application security testing (IAST) is a catch-all term applied to many different security testing approaches that bridge the gap between source code analysis (SAST) and dynamic testing (DAST). In general, all IAST tools attach to a running application to monitor code execution and detect insecure operations and behaviors. The fundamental difference lies in the way they are controlled – and this is where Invicti’s True IAST approach stands out.

Putting the “I” into IAST: Invicti Shark

Most runtime security testing tools that are labeled as IAST need to be separately launched from a test suite or vulnerability scanner, with little or no interaction between the initiator and the IAST component during testing. Invicti introduces truly interactive security testing by integrating an additional IAST module, called Invicti Shark, into its industry-leading DAST solution. The core scanning engine continuously communicates with the interactive testing component to guide its execution and obtain deeper insights into how the application reacts to test payloads.

When enabled, the Shark module attaches to the application runtime without any need for code access or modification. By monitoring code execution during dynamic security testing, Shark provides the core scanning engine with runtime information that is inaccessible with DAST alone – and all with only a minimum performance overhead. True IAST with Invicti Shark is currently available for PHP, Java, and .NET applications, with more technologies in development. 

The True IAST Difference

Invicti’s IAST module works hand in hand with the scanning engine, so it extends vulnerability testing results obtained using Proof-Based Scanning™ by isolating the source of the issue, often down to the specific line number. It also provides additional confirmation and attack payloads for detected vulnerabilities and returns inside information about local assets and the security of the local application environment. All this intelligence is automatically incorporated into scan results to provide security engineers and developers with detailed and actionable vulnerability reports for a wider range of issues.

The Benefits of True IAST: Announcing the Invicti White Paper

Invicti Shark is easy to deploy and unlocks a host of benefits across the organization, starting with improved application security and more scalable web application security workflows. The Invicti white paper Changing the DAST Game with Invicti IAST provides more insight into the advantages of the True IAST approach, including faster issue resolution, better working relations between teams, a shorter time to value, and measurable cost savings. The introduction of Invicti’s IAST into the enterprise security model helps organizations build a scalable application security program through efficient and confident automation.

Read the full white paper: Changing the DAST Game with Invicti IAST

Zbigniew Banach

About the Author

Zbigniew Banach - Senior Technical Content Writer

Cybersecurity writer at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.