At EuroStar 2016 I visited a track about IAST (Interactive Application Security Testing) and it was really amazing to see that there is a βnewβ technique (based on a feature since Java 1.5 ) that could destroy DAST (dynamic app sec test - hey, you know the scanners which only find ~1/3 of real defect areas) and SAST (static analysis sec test - FindSecBugs, Fortify, SonarType & Co.).
Anybody here wo has experience in the wild with it?
Thanks for your feedback. In the meanwhile I was able to do a proof of concept where I tested twi IAST solutions. It was very easy in both tools to set them up. Include a .jar in the starting routine, run your tests and get impressed by the results. We found security issues we never seen before.
From my experiences:
IAST will change the security testing task from a task to an ongoing monitoring task which also could be done by DevOps/Operations. Integrating the IAST tool into existing defect reporting tools, like Jira and chat channels, like slack, will bring security into the game of a daily task instead of doing βsecurity tests at the end because it needs to be doneβ.
Also I have learned that there is a solution to have ZERO (!) false positives!
Look for the OWASP Security Benchmark and see that all our activities in web applications have really a problem: We only find <30% of the issues and often we have many, many false positives, especially in the static code analysis area (SAST tools) which meets my experiences.