Breaking AppSec News: “I Finally Got What IAST For!”

It wasn’t THAT long ago when prevailing thinking around software applications was to avoid updating them right away when a new version came out.  Particularly if it was the first version of an application.  Why?  Because we all just knew there would be lots of bugs and issues. We figured we would be better off letting them get fixed and waiting for the next update.  Let someone else be the guinea pig. right?

Well, no more! The thinking has completely shifted to consuming updates for applications on an almost daily basis – or even more frequently than that!   Why?  Because we all want the latest and greatest features.  We no longer want to wait 6 months for a new capability because modern software practices (microservices & containers anyone?) allow us to deliver it as soon as it is available.  No more having to wait for every other part of the application to be ready to release!

An Application Reporting On Its’ Vulnerabilities. Really?

But software, when it is released, HAS to be secure.  While no one WANTS to release vulnerable software, a fast-paced world of software development often causes trade-off decisions between speed, quality and resiliency.  In that mode, trying to maintain security can be a daunting challenge.

But, wouldn’t it be great if I could deploy my application to testing, and while it was being tested it could also be monitoring and reporting on vulnerabilities found while teams were using it?  And what if some of the interactions occurring were based on the functional testing that I was already doing?  My QA teams would automatically be helping me find and fix security issues while in context and in scope.  And wouldn’t it also be cool if I could do the same with with a release into production?   I would know right away that issues found were real, and I’d know exactly what was going on when the vulnerability was found.

You’ve asked.  And now HCL AppScan has introduced IAST to its already deep portfolio of application security tools.  And here is why it matters for you.

IAST is Fast – DevOps Fast

The single greatest advantage of IAST is its speed.  When used in conjunction with SAST and DAST, it can give you the best of both worlds.  It’s a perfect fit for DevOps because it is a zero-time analysis.  There is no actual “scanning” occurring.  Instead, the IAST agent is monitoring the application as it is executed by another function (usually functional testing), and it reports back on the security issues that it identifies. And the IAST report yields developer focused results that specifically show the vulnerabilities, along with the line of code and the call stack that was captured.

AppScan IAST+ is Accurate

But it doesn’t matter if your scan is fast if the results you get are not reliable.  Because the analysis is performed on running applications, it can only identify actual executed scenarios.  That means it depends on interactions from a user or an automated test, so naturally you get fewer false positives and fewer false negatives.  Another key advantage for AppScan IAST+ is that it builds upon the vast experience AppScan has with DAST and SAST to improve IAST further. One key example is its ability to evaluate regular expression sanitizers.  Normally, evaluating sanitized functions that use regular expression is extremely difficult, but thanks to our vast DAST knowledge we have been able to incorporate this into AppScan IAST.

AppScan IAST+ Performs

If you are wondering about any potential performance impact on your ongoing development activities, we have good news.  We found that IAST tools that have a < 10% performance impact for Java.  AppScan IAST+ has a less than 4% performance hit for Java and the effect on the application load is insignificant.    Our passive IAST monitors applications during  existing functional (or any other) testing, hence the zero time analysis.  But AppScan IAST+ can also leverage AppScan’s DAST engine to complement functional testing coverage if needed

It’s Part of a Larger Application Security Solution

To be clear, no one is advocating that organizations drop their SAST and DAST initiatives in favor of IAST. With an ever-increasing threat landscape there is a place and need for each of these types of security tests.   AppScan IAST is meant to complement and enhance your security testing. It is much more than a point solution.  It is meant to be part of a comprehensive Application Security Testing suite, and was designed to show your results side by side with your DAST, SAST and SCA findings.   That means the results you receive from AppScan Standard, AppScan Source, AppScan Enterprise and AppScan on Cloud can all be viewed together to give you a more holistic view of your security posture.

And We’re Just Getting Started!

We will continue to work to deliver the best capabilities to market that enable you to have the breadth, depth and speed you need to succeed in modern software development.  Let us know what you’d like to see. We’d love to hear from you.  Our new IAST capabilities are part of the AppScan V10 release. To learn more about this and other great additions, visit my launch blog and see our livestream event replay.