Changing the DAST Game with Netsparker IAST

Zbigniew Banach - Tue, 30 Mar 2021 -

Netsparker has added an interactive testing component to its dynamic application security testing engine to create a game-changing DAST+IAST combination. This article presents the Netsparker approach to IAST and announces a white paper highlighting its benefits.

Changing the DAST Game with Netsparker IAST

Introducing True Interactive AST

Interactive application security testing (IAST) is a catch-all term applied to many different security testing approaches that bridge the gap between source code analysis (SAST) and dynamic testing (DAST). In general, all IAST tools attach to a running application to monitor code execution and detect insecure operations and behaviors. The fundamental difference lies in the way they are controlled – and this is where Netsparker’s True IAST approach stands out.

Putting the “I” into IAST: Netsparker Shark

Most runtime security testing tools that are labeled as IAST need to be separately launched from a test suite or vulnerability scanner, with little or no interaction between the initiator and the IAST component during testing. Netsparker introduces truly interactive security testing by integrating an additional IAST module, called Netsparker Shark, into its industry-leading DAST solution. The core scanning engine continuously communicates with the interactive testing component to guide its execution and obtain deeper insights into how the application reacts to test payloads.

When enabled, the Shark module attaches to the application runtime without any need for code access or modification. By monitoring code execution during dynamic security testing, Shark provides the core scanning engine with runtime information that is inaccessible with DAST alone – and all with only a minimum performance overhead. True IAST with Netsparker Shark is currently available for PHP, Java, and .NET applications, with more technologies in development. 

The True IAST Difference

Netsparker’s IAST module works hand in hand with the scanning engine, so it extends vulnerability testing results obtained using Proof-Based Scanning™ by isolating the source of the issue, often down to the specific line number. It also provides additional confirmation and attack payloads for detected vulnerabilities and returns inside information about local assets and the security of the local application environment. All this intelligence is automatically incorporated into scan results to provide security engineers and developers with detailed and actionable vulnerability reports for a wider range of issues.

The Benefits of True IAST: Announcing the Netsparker White Paper

Netsparker Shark is easy to deploy and unlocks a host of benefits across the organization, starting with improved application security and more scalable web application security workflows. The Netsparker white paper Changing the DAST Game with Netsparker IAST provides more insight into the advantages of the True IAST approach, including faster issue resolution, better working relations between teams, a shorter time to value, and measurable cost savings. The introduction of Netsparker’s IAST into the enterprise security model helps organizations build a scalable application security program through efficient and confident automation.

Read the full white paper: Changing the DAST Game with Netsparker IAST

Zbigniew Banach

About the Author

Zbigniew Banach

Technical Content Writer at Netsparker. Drawing on his experience as an IT journalist and technical translator, he does his best to bring web security to a wider audience on the Netsparker blog and website.