Active vs Passive IAST Scanning
Exploring the Dynamic Combination of DAST Tools and Application Sensors
Discover IAST Strategies - Download our White Paper
Table of Contents
Active IAST testing and passive IAST testing
Compared with traditional application testing tools and methodologies, Interactive Application Security Testing (IAST) is relatively new, although many world leading brands have improved their health of AppSec with IAST since 2014. The challenge that early adopters often face is that many technologies and functionalities are bundled under a soup of acronyms. This creates confusion and can at times be misleading.
Read our white paper on Active IAST vs. Passive IAST for more information.
What is active IAST vulnerability scanning?
The active approach to Interactive Application Security Testing (IAST) requires two main components — a Dynamic Application Security Testing (DAST) tool and a sensor that attaches to running applications, otherwise referred to as code instrumentation. The advantage of doing it this way instead of running just a DAST scan is that the sensors attached to the application provide additional insight into the exploit attempt, compared with the black-box nature of typical DAST findings, which will only return results on successful exploits.
During the testing phase, if the application is attacked, active IAST scans the URLs and sends them a list of known attack payloads. The sensor then monitors the application for vulnerabilities based on the incoming attack payloads.
The disadvantage is that organizations using this approach must still wait for a separate security scan to complete to receive a snapshot of their Application Security (AppSec) status. Also, such active tests usually pollute the databases and file systems of the targeted environments and do not always represent typical customer journeys.
What is passive IAST vulnerability scanning?
Passive IAST is a security tool that requires a single agent to run alongside an application. In other words, security is instrumented inside the application. It differs from active IAST as it does not rely on actively attacking an application to identify vulnerabilities.The passive IAST agent continuously monitors all traffic directed at the application at runtime to identify vulnerabilities. The most significant difference here is that all tests that organizations perform are being used to actively find security vulnerabilities at the same time.
The most comprehensive coverage of an application can be achieved by using existing quality assurance testing — be it manual or automated — or even by testing production use of the application. Passive IAST transforms all use of the application into a security test, making it a cost-effective and secure solution. Passive IAST eliminates the need to set up a separate infrastructure for security testing.
Benefits of passive IAST testing
The passive approach to application security testing will be the most scalable and manageable across AppSec programs. A passive IAST testing approach has the following advantages:
- It does NOT require you to attack the application and instead finds vulnerabilities through regular traffic flowing through the app;
- It does NOT take an extended period of time to scan in your Continuous Integration/Continuous Deployment (CI/CD) pipeline and instead monitors your application in real time;
- Passive IAST is a continuous solution which fits itself across your entire SDLC as opposed to active IAST which is only a point-in-time snapshot;
- Passive IAST incentivizes appsec teams to improve application testing coverage, by offering twice the value from it - code quality as well as code security; and
- Finally, passive IAST has fewer moving parts, making it easier to manage and scale across many applications.
What Is IAST?
Analyst firm Gartner has defined the IAST category as follows:
"Interactive Application Security Testing (IAST) uses instrumentation that combines Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) techniques to increase the accuracy of application security testing. Instrumentation allows DAST-like confirmation of exploit success and SAST-like coverage of the application code and, in some cases, allows security self-testing during general application testing. IAST can be run stand-alone or as part of a larger AST suite, typically DAST."
Gartner's definition is relatively broad, allowing various solutions to be classified as IAST products.
What is the difference between active IAST vs passive IAST?
Active IAST uses malicious requests to attempt to exploit the application, with a sensor within the app to try to identify the vulnerable line of code.
|
Active IAST Testing |
Passive IAST Testing |
|
Description of testing: Active IAST uses malicious requests to attempt to exploit the application, with a sensor within the app to try to identify the vulnerabile line of code. |
Description of testing: Passive IAST works by monitoring non-malicious traffic (manual and automated tests) via sensors within the app to identify vulnerable code paths. |
|
Pros and Cons: |
Pros and Cons: |
|
Pro: Useful when you don’t have any end-to-end tests |
Pro: Runs alongside your existing automated test and any manual usage of the app |
|
Con: Delivers slow scans due to fuzzing, and impacts overall performance |
Pro: Extremely fast with minimal impact |
|
Con: Limited to a set of DAST-type findings |
Pro: Broad range of findings with unparalleled accuracy |
|
Con: Requires tuning (Authn/Authz/APIs) |
Pro: Zero tuning required |
|
Con: Changes the state of your test environments |
Pro: Does not affect your environment state |
|
Con: Coverage limited to DAST crawler capabilities |
Pro: Can be coupled with a crawler for extra coverage |
Read our whitepaper on Active IAST vs. Passive IAST for more information.
How does Contrast Security enable the ideal IAST testing outcomes?
Contrast Security was founded on the principle that the best and most efficient application security is done from within the application. Contrast Security delivers real-time and always-on application and API security that prevents exploits in production and stops insecure programming during development.
The Contrast Security IAST tool is called Contrast Assess and is designed to secure applications from within. From the outset, Contrast Assess is primarily a passive IAST solution that continuously monitors your application through regular traffic that passes through.
If you want to implement active IAST testing, your best approach would be to use a passive IAST testing approach and choose an automated testing tool that acts like a crawler — or even a free one like OWASP Zed Attack Proxy (ZAP). You’ll produce better results by generating simple end-to-end tests with tools that don’t require vulnerabilities to be exploited.
How do you implement and use Contrast Assess - the IAST tool?
- Instrumentation-based visibility
By embedding sensors inside applications, you will find and prioritize software vulnerabilities in real time - both on custom code and third party libraries - with full context of the application, turning every functional test into security tests. The IAST method of application security protects you at runtime, testing and development phase - across the entire Software Development Life Cycle (SDLC).
- Developer remediation guidance
Using the 3 Ways of DevOps philosophy of “Flow - Feedback - Continuous Learning” embedded in the IAST methodology of application testing, Contrast Assess provides feedback to developers early on when potential vulnerabilities are being introduced, shows where exactly in the code that is and guides the developers on how to fix it. This approach enables developers to fix vulnerabilities easily without the need of security expertise, and companies can eliminate whole classes of vulnerabilities from ever being introduced again.
- Accurate results
Contrast Assess tests the entire surface of your application by analyzing custom code and third party libraries together. It analyzes routes (source - sanitizer - sink) and URL traffic to better understand where to effectively increase security test coverage.
