Interactive (IAST) Scans

ASoC can perform interactive analysis of normal application runtime behavior, for vulnerabilities.

The Interactive (IAST) scan technology uses an agent deployed on the web server of the tested application to monitor traffic sent during runtime, and report vulnerabilities it finds. Unlike other ASoC scans, an IAST scan doesn't generate its own traffic, but monitors your system tests, or manual exploring, or traffic sent during a DAST Scan. So you can have ongoing identification of runtime issues without the need to send dedicated test requests.

Whereas a DAST scan sees the application as a "black box", the IAST agent sees "inside" the box, enabling it to provide greater detail about vulnerabilities such as: the location of the vulnerability in the code, the URL, and the specific vulnerable entity (such as parameter, header, or cookie), while SAST would provide the location only, and DAST the URL and entity only.

When you install the IAST Agent on your web server and start an IAST Scan, the agent monitors traffic (requests, call stack, variables and so on) sent to the application, and reports to ASoC on the vulnerabilities it finds. Unlike other ASoC scans, an IAST scan can run indefinitely. An IAST scan stops automatically only if configured to stop when the agent gets disconnected, and the agent does get disconnected.



You can set up the IAST agent that communicates with ASoC either through the UI or through the REST API.

Typical workflow
Table 1. Typical workflow
What Details
Configure and start an IAST Scan At the end of this process the IAST Agent is downloaded to your machine.
Deploy the IAST Agent on the application server Although the scan has technically started before this step, Issues can be discovered only when the agent is deployed.
Run system tests, a manual explore, or a DAST scan on your application. The agent begins to report issues it finds to ASoC and they appear in the IAST scan entry.
Stop the scan and review the issues found. In the All Issues tab, click the Details link to see the URL and call trace for IAST Issues.
At the next development stage:
  1. Start the same scan again
  2. Run the same system tests or DAST scan
  3. Stop the scan, and
  4. Compare the new results with the previous ones
When you start the scan again the Issue counter is reset, so it shows only new Issues, enabling you totrack dev. progress.
IAST System Requirements
  • Servers:
    • Tomcat, Version 7 or higher
    • Websphere, Version 8.5 or higher
    • Websphere Liberty, Version 19 or higher
    • Open Liberty, Version 19 or higher
    • JBoss/Wildfly, Version 10 or higher
    • Weblogic, Version 12 or higher
  • Runtime Environment: Web application servers running JRE/JDK 1.8 or higher
  • Frameworks: Struts, Spring Boot
  • Software: Java versions 8 and higher
    Attention: If both the compile-time and the runtime Java versions are 9 or higher, you must add this flag to the java run command:
    –Djava.lang.invoke.stringConcat=BC_SB