About interactive monitoring (IAST)

ASoC can monitor normal application runtime behavior to detect vulnerabilities.

The AppScan on Cloud interactive monitoring technology (IAST) uses an agent deployed on the web server of the tested application to monitor traffic sent during runtime, and report vulnerabilities it finds. Unlike dynamic and static ASoC scans, an IAST monitoring session doesn't generate its own traffic, but monitors your system tests, or manual exploring, or traffic sent during a DAST scan. You can have ongoing identification of runtime issues without sending dedicated test requests.

Whereas a DAST scan sees the application as a "black box," the IAST agent sees "inside" the box, enabling it to provide greater detail about vulnerabilities. The IAST agent can provide the location of the vulnerability in the code, the URL, and the specific vulnerable entity (such as parameter, header, or cookie); a SAST scan provides the location only, and DAST scan provides the URL and entity only.

When you install the IAST agent on your web server and start an IAST monitoring session, the agent monitors traffic (requests, call stack, variables and so on) sent to the application, and reports to ASoC on the vulnerabilities it finds. Unlike ASoC scans, an IAST session can run indefinitely. An IAST session stops automatically only if configured to stop when the agent gets disconnected, and the agent does get disconnected.

You can set up the IAST agent that communicates with ASoC either through the user interface or through the REST API.

Typical Workflow

Step Details
Configure and start an IAST Scan The IAST agent is downloaded to your machine.
Deploy the IAST Agent on the application server Although the session has technically started before this step, issues can be discovered only when the agent is deployed.
Run system tests, a manual explore, or a DAST scan on your application. The agent begins to report issues it finds to ASoC and they appear in the IAST scan entry.
Periodically review the issues found. In the All Issues tab, click the Details link to see the URL and call trace for IAST Issues.
At the next development stage:
  1. Start the same session again.
  2. Run the same system tests or DAST scan.
  3. Stop the session.
  4. Compare the new results with the previous ones.
 When you start the session again the Issue counter is reset, so it shows only new issues, enabling you to track development progress.

System Requirements for IAST

General:
  • CPU: Recommended 4, minimum 2
  • RAM: At least 8GB
  • If there is a firewall on the server where your application is deployed, make sure there is an exception for the ASoC domain (cloud.appscan.com).
Table 1.
Java
  • Servers:
    • Tomcat, Version 7 or higher
    • Websphere, Version 8.5 or higher
    • Websphere Liberty, Version 19 or higher
    • Open Liberty, Version 19 or higher
    • JBoss/Wildfly, Version 10 or higher
    • JBoss EAP (Enterprise Application Platform) 6, 7
    • Weblogic, Version 12 or higher
    • Jetty
    • Quarkus (JVM Mode)
  • Runtime Environment: Web application servers running JRE/JDK 1.8.144 and higher
  • Frameworks: Spring 5, Spring 6, Struts, Resteasy
  • Software: Java versions 8 and higher
.NET
  • Server running IIS 7 or higher
  • .NET Framework 4.5, 4.62 4.72, 4.8
  • .NET 5, 6, 7, 8
  • .NET Core 3.1
Node.js
  • Application Framework: Express 4
  • JavaScript ECMAScript 6
PHP

Windows:

  • 8.1.X

Linux (Ubuntu):

  • 8.1.X
  • 8.2.X

Linux (RedHat):

  • 8.1.X
Note: For IAST support on other PHP releases or platforms, please contact AppScan support team.