Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
DevSecOps Glossary

IAST (Interactive Application Security Testing)

Interactive Application Security Testing (IAST) combines SAST and DAST: agents are injected directly into running applications and analyze code execution and data flows in real time as tests are performed. IAST detects more vulnerabilities than SAST alone, with fewer false positives than DAST—and without the need for a separate testing phase.

IAST is the "sweet spot" between static and dynamic analysis: An instrument agent is injected into the running application and observes from within what is happening—which functions are called, where data flows, and whether user input ends up in database queries unfiltered. The result: precise findings with exact code locations, detected while regular tests are running.

SAST vs. DAST vs. IAST Comparison

                SAST            DAST            IAST
Timing:      Compile time    Runtime        Runtime
View:          Code (internal)    HTTP (external)    Code + runtime
Languages:       Language-specific   Language-agnostic  Language-specific
False positives: High           Medium          Low
False Negatives: Medium         High            Low
Deployment:     CI/CD           Staging         Test environment

SAST detects:    Syntactic patterns in the code
DAST detects:    HTTP responses to attack payloads
IAST detects:    Actual data flows at runtime

Example of SQL injection:
  SAST: "Line 47: String concatenation in DB query - suspicious"
        → But: Is it really user input? False positive possible!

  DAST: "POST /search with ' generates 500 Internal Server Error"
        → Detects symptom, does not know code line

  IAST: "Line 47, function searchProducts(): User input from
         request.query.term flows into
         SQL statement without sanitization - CONFIRMED SQL injection"
        → Exact line, confirmed data flow, no false positive!

IAST Tools and Integration

Leading IAST solutions:

Contrast Security (market leader):
  → Agents for Java, .NET, Node.js, Python, Ruby, Go, PHP
  → Continuous analysis during functional testing
  → Automatically creates tickets in Jira/ServiceNow
  → Integration into CI/CD pipeline as a test phase

Seeker (Synopsys):
  → Deeply integrated with Java/J2EE
  → Good for legacy Java enterprise apps
  → DAST extension available

HCL AppScan IAST:
  → Enterprise focus, IBM heritage
  → SAP/Oracle integration

---

Java Agent Integration (Example: Contrast):

  Maven Surefire Plugin (Unit Tests):
  The JAR is loaded as a Java agent when the test starts:
    -javaagent:/path/to/contrast.jar
    -Dcontrast.standalone.appname=MyApp
    -Dcontrast.server.name=CI-Server
    -Dcontrast.api.key=${CONTRAST_API_KEY}

  Start Spring Boot directly:
  java -javaagent:contrast.jar
    -Dcontrast.standalone.appname=MyApp
    -jar myapp.jar

  Node.js Agent (Contrast):
  In package.json scripts:
    "test:security": "node -r @contrast/agent ./node_modules/.bin/jest"

---

IAST in GitLab CI:
  iast_test:
    stage: test
    image: openjdk:17
    variables:
      CONTRAST_API_KEY: "${CONTRAST_API_KEY}"
      CONTRAST_SERVICE_KEY: "${CONTRAST_SERVICE_KEY}"
    script:
      - wget -q https://app.contrastsecurity.com/Contrast/api/agent/java -O contrast.jar
      - mvn test -DargLine="-javaagent:contrast.jar -Dcontrast.appname=$CI_PROJECT_NAME"
    artifacts:
      reports:
        sast: contrast-findings.json

What IAST detects

OWASP Top 10 Detection via IAST:

A01 Broken Access Control:
  → IDOR: User A retrieves a resource belonging to User B – IAST detects a missing authentication check!
  → Path Traversal: ../../../etc/passwd in file access

A02 Cryptographic Failures:
  → MD5/SHA1 for password hashing → IAST detects weak hash algorithm
  → Sensitive data in logs: IAST tracks data flow

A03 Injection:
  → SQL Injection: User input directly in database query? IAST spots it!
  → Command Injection: user input → operating system call
  → XSS: unescaped output in HTML template

A04 Insecure Design:
  → Business Logic Flaws (more difficult to automate)

A05 Security Misconfiguration:
  → CORS: overly permissive configuration detected
  → Security Headers: X-Frame-Options, CSP missing

A08 Software and Data Integrity:
  → Deserialization: ObjectInputStream with external input without validation

IAST vs. RASP - Detection vs. Protection

RASP (Runtime Application Self-Protection):
  → Protects production in real time (not just the test phase!)
  → Blocks attacks when they are detected
  → No separate testing required: always runs alongside the application

IAST:
  → Test environment: analyzes and reports, does not block
  → Development/staging phase

Both combined (Contrast Security):
  → IAST in test → Findings identified and fixed
  → RASP in production → Resilience against unknown attacks

RASP action upon detected attack:
  1. Monitor: log only (no intervention)
  2. Block: Reject request + return 403
  3. Block + Report: Reject + notify security team

  Example:
  SQL injection attempt → RASP detects in 50 ms:
  → Original database query prevented → "Access Denied"
  → SIEM alert within 1 second
  → Zero impact on legitimate users

DevSecOps Pipeline Classification:
  Pre-Commit: Secret Detection, Linting
  CI:         SAST, SCA, Secret Scanning
  Build:      Container Scanning
  Test:       IAST (during integration tests!) ← here
  Staging:    DAST
  Production: RASP, WAF

AWARE7 Services on This Topic

Web Applikations Penetrationstest
Back to Glossary Book a free consultation