Interactive Application Security Testing (IAST) in AppScan Enterprise

The Interactive Application Security Testing (IAST) technology uses an agent deployed on the web server of the tested application to monitor traffic sent during runtime, and report vulnerabilities it finds. Unlike DAST scans, an IAST monitoring session doesn't generate its own traffic, but monitors your system tests, manual exploring, or traffic sent during a DAST or SAST scan. Thereby, you can have ongoing identification of runtime issues without a need to send dedicated test requests to the application for monitoring issues.

Whereas DAST scan sees the application as a "black box", the IAST agent sees "inside" the box, enabling it to provide greater detail about vulnerabilities such as the location of the vulnerability in the code, the URL, and the specific vulnerable entity (such as parameter, header, or cookie), while SAST would provide the location only, and DAST the URL and entity only.

When you install the IAST agent on your web server and start an IAST monitoring session, the agent monitors the traffic (requests, call stack, variables and so on) sent to the application, and reports to AppScan Enterprise on the vulnerabilities it finds. Unlike SAST and DAST scans, an IAST session can run indefinitely.

You can set up the IAST agent that communicates with AppScan Enterprise either through the UI or through the REST API. For more information on IAST REST API, refer to the REST API documentation.

How to use IAST in AppScan Enterprise

Table 1. IAST workflow
How to.. Details
Configuring IAST Communication Service in AppScan Enterprise Server This process instructs you on configuring IAST Communication Service in the AppScan Enterprise.
Download and Deploy an IAST agent on a Web server This process instructs you on deploy IAST agent in the web server where the tested application is installed.
Managing IAST agents in AppScan Enterprise This process instructs you how to create and manage multiple agents on a single application.

IAST Agent system requirements

Servers:
  • Tomcat, Version 7 or higher
  • WebSphere, Version 8.5 or higher
  • WebSphere Liberty, Version 19 or higher
  • Open Liberty, Version 19 or higher
  • JBoss/Wildfly, Version 10 or higher
  • Weblogic, Version 12 or higher
Runtime Environment:
  • Web application servers running JRE/JDK 1.8 or higher
Frameworks:
  • Struts
  • Spring Boot
Software:
  • Java versions 8 and higher
.NET
  • CPU: Recommended 4, minimum 2
  • RAM: Minimum 8GB
  • Server running IIS 7 or higher
  • .NET Framework 4.5, 4.72, 4.8
Node.JS
  • JavaScript ECMAScript 6
  • Application Framework: Express 4