Starting an IAST session

Install the IAST agent on your application server, and configure the scan.

Before you begin

If you use more than one server for a single IAST monitoring session, you can either copy the agent from one server to the other, or download separate agents. Both methods are supported.
Note: The IAST monitoring session technically "starts" as soon as installation is complete, but no issues are discovered until the agent is deployed on the application server.

Procedure

  1. If you have not yet done so, Create an application for your scans.
  2. In the Application view, click Create Scan to open the wizard, then select Interactive (IAST).
  3. Click Download Agent, and then select .NET, Java PHP or Node.js to save the relevant agent file to your computer.
    The process of creating the file for download may take a few moments, but then the download starts automatically.
    Note: The downloaded agent includes a key that is valid on multiple servers for the same session, so you can copy the agent to several servers. If you download another agent for the same session, the new agent will have a new key, but the new and old keys will both be valid for the session.
  4. Deploy the IAST Agent on your application server.
    The IAST agent is now monitoring traffic to the server. You can see this confirmed in the Scan entry in the Application tab. When you run system tests or a DAST scan, issues are identified and added to the scan entry.
    Important: The IAST agent discovers issues by monitoring traffic to the application. It does not itself generate requests. After the IAST agent is installed, issues typically are discovered during functional testing, QA, and DAST scans.
    Note: An IAST scan does not stop automatically. It monitors traffic constantly. You can disable monitoring by stopping the IAST session in the ASoC user interface. However, although this disables most IAST agent activity, the agent continues to communicate with ASoC to detect when the session is started again.

Actions

Once the scan is created, the Actions drop-down offers the following options as appropriate:
  • Generate new key: In case the downloaded key was lost.
    Note: If you generate a new key, the previous key becomes invalid.
  • Stop: Stops a running scan without deleting it. You can start it again later. If you want a report on the current scan results, go to the All Issues tab.
  • Start: Starts a stopped scan (license permitting). The Issue counter for the scan starts from zero.
  • Cancel: Deletes the scan.