What makes Invicti’s IAST special

Zbigniew Banach - Fri, 29 Apr 2022 -

Learning about the different application security testing solutions on the market inevitably means navigating all the acronyms. One catch-all term that can cause a lot of confusion is IAST, or interactive application security testing, where you get one acronym for several very different approaches. Let’s clear things up a bit and see what’s so special about Invicti’s truly interactive take on IAST.

Your Information will be kept private.

What makes Invicti’s IAST special

Between static and dynamic testing: A brief history of IAST

IAST is an umbrella category popularized by Gartner in the 2010s to refer to solutions that occupy the middle ground between static (SAST) and dynamic application security testing (DAST). In practice, there are many different flavors of IAST, with most vendors starting at the static end of things and focusing on adding some dynamic capability to static analysis. In other products, the IAST component is triggered by dynamic testing – this is sometimes called “DAST-induced IAST”.

Despite the “interactive” in the name, most solutions marketed as IAST don’t really interact with anything but are standalone products that operate with little or no integration with the wider security testing process. They promise to combine the best of both worlds, catching some dynamic vulnerabilities that SAST cannot find while also providing more detail than DAST alone – but there is still nothing interactive about them. This is where Invicti stands out by combining the industry’s best DAST engine with a truly interactive server-side component to flesh out already highly accurate vulnerability data.

Putting the “I” into IAST

The Invicti IAST component is a server-side agent that attaches to the application runtime and monitors application behavior during the core DAST scan. As the main vulnerability scanner crawls your application and then probes it for vulnerabilities, the IAST agent constantly interacts with the scanner to detect application reactions to security checks and extract additional intelligence. While the main scan already provides plenty of information about the origin of each vulnerability, the IAST component can often narrow it down to a specific line of code or show a stack trace (depending on the technology and type of vulnerability). And while Invicti’s proprietary Proof-Based Scanning technology already finds and confirms many vulnerabilities with extremely high accuracy, having IAST running alongside translates to even more issues found and proofs extracted.

To take full advantage of visibility into the server side, Invicti IAST also finds unlinked files on the server and reports them to the main scanner for testing. In addition, the same agent can perform software composition analysis (SCA) to detect vulnerable application components and dependencies, again reporting everything back to the core DAST engine. This true interaction enables Invicti to centrally provide a more detailed picture of your application security posture than a DAST scanner could deliver alone – yet with no need to modify the source code or even have access to it. 

One-click IAST – with no instrumentation needed

When most people hear “IAST”, they immediately think of instrumentation, or the process of adding tracing instructions to the application source code. While this is necessary with traditional IAST, the Invicti approach is fundamentally different. To add the IAST capability, you simply install the agent package alongside your web server or application server (depending on the technology) and enable IAST testing in your scan settings. And that’s it – now each scan can include DAST, IAST, and SCA testing with no additional preparation, installation, or instrumentation. In fact, as long as you can run the application, you can use the full set of security checks without knowing or caring where the source code is.

This one-click convenience is a major advantage of Invicti’s DAST-first approach to application security testing. From the very start, you are covering your full real-world attack surface with high-quality dynamic testing. With the same platform, you can then expand to include IAST and SCA with very little effort, going from initial deployment to actionable vulnerability reports in a matter of hours. Invicti IAST is available for the most popular server-side technologies, with PHP, Java, .NET, and Node.js currently supported – and more in development. And again, whatever technologies you have today or add in the future, you are always covered by Invicti DAST, no matter what you have under the hood.

Application security testing outside the box

To finally answer the title question, what makes Invicti’s IAST special is that it’s part of an industry-leading platform that is changing the way people think about web application security. Keeping all your application environments secure without slowing down development requires broad coverage combined with accurate automation, and all this while keeping up with the latest threats. Ticking boxes on acronyms and gluing together point solutions won’t get you there. Thinking outside the box and taking a holistic view of web application security is the only way to deliver AppSec that really works – and that is Invicti’s mission.

To learn more about Invicti IAST, read our white paper Changing the DAST Game with Invicti IAST

Your Information will be kept private.

Zbigniew Banach

About the Author

Zbigniew Banach

Technical Content Writer at Invicti. Drawing on his experience as an IT journalist and technical translator, he does his best to bring web application security and cybersecurity in general to a wider audience.