Interactive (IAST) monitoring

ASoC can monitor normal application runtime behavior, to detect vulnerabilities.

The Interactive (IAST) technology uses an agent deployed on the web server of the tested application to monitor traffic sent during runtime, and report vulnerabilities it finds. Unlike ASoC scans, an IAST monitoring session doesn't generate its own traffic, but monitors your system tests, or manual exploring, or traffic sent during a DAST Scan. So you can have ongoing identification of runtime issues without the need to send dedicated test requests.

Whereas a DAST scan sees the application as a "black box", the IAST agent sees "inside" the box, enabling it to provide greater detail about vulnerabilities such as: the location of the vulnerability in the code, the URL, and the specific vulnerable entity (such as parameter, header, or cookie), while SAST would provide the location only, and DAST the URL and entity only.

When you install the IAST Agent on your web server and start an IAST Monitoring Session, the agent monitors traffic (requests, call stack, variables and so on) sent to the application, and reports to ASoC on the vulnerabilities it finds. Unlike ASoC scans, an IAST session can run indefinitely. An IAST session stops automatically only if configured to stop when the agent gets disconnected, and the agent does get disconnected.



You can set up the IAST agent that communicates with ASoC either through the UI or through the REST API.

Typical Workflow

What Details
Configure and start an IAST Scan At the end of this process the IAST Agent is downloaded to your machine.
Deploy the IAST Agent on the application server Although the session has technically started before this step, Issues can be discovered only when the agent is deployed.
Run system tests, a manual explore, or a DAST scan on your application. The agent begins to report issues it finds to ASoC and they appear in the IAST scan entry.
Periodically review the issues found. In the All Issues tab, click the Details link to see the URL and call trace for IAST Issues.
At the next development stage:
  1. Start the same session again
  2. Run the same system tests or DAST scan
  3. Stop the session, and
  4. Compare the new results with the previous ones
 When you start the session again the Issue counter is reset, so it shows only new Issues, enabling you totrack dev. progress.

System Requirements for IAST

General:
  • CPU: Recommended 4, minimum 2
  • RAM: At least 8GB
  • If there is a firewall on the server where your application is deployed, make sure there is an exception for the ASoC domain: cloud.appscan.com
Java .NET Framework Node.js
  • Servers:
    • Tomcat, Version 7 or higher
    • Websphere, Version 8.5 or higher
    • Websphere Liberty, Version 19 or higher
    • Open Liberty, Version 19 or higher
    • JBoss/Wildfly, Version 10 or higher
    • JBoss EAP (Enterprise Application Platform) 6, 7
    • Weblogic, Version 12 or higher
    • Jetty
    • Quarkus (JVM Mode)
  • Runtime Environment: Web application servers running JRE/JDK 1.8.144 and higher
  • Frameworks: Spring Boot, Struts, Resteasy
  • Software: Java versions 8 and higher
  • Server running IIS 7 or higher
  • .NET Framework 4.5, 4.62 4.72, 4.8
  • .NET 5, 6
  • .NET Core 3.1
  • Application Framework: Express 4
  • JavaScript ECMAScript 6