Interactive Application Security Testing - experiences?

(Joerg) #1

At EuroStar 2016 I visited a track about IAST (Interactive Application Security Testing) and it was really amazing to see that there is a “new” technique (based on a feature since Java 1.5 :slight_smile:) that could destroy DAST (dynamic app sec test - hey, you know the scanners which only find ~1/3 of real defect areas) and SAST (static analysis sec test - FindSecBugs, Fortify, SonarType & Co.).

Anybody here wo has experience in the wild with it?

Thank you in advance!

(Juha) #2

Burpsuite came out with an interactive web application testing extension called “Burp Infiltrator” some time ago. Basically it will inject jars (only java backends are supported) on the server so that dynamic tests can get feedback that is never gained through black-box dynamic testing. How this differs from the default functionality is that now there is a closed feedback loop between the dynamic testing and the static bytecode. The instrumenting code that is injected will communicate to the dynamic tool and that way more information about the application can be gained.

I’ve never been able to use this feature, as it requires a lot of setting up that I can almost never do as an external tester.

On a related note, as I mostly do manual testing, we in our team have started doing something we call “opportunistic code review”. This means that when we find an issue by dynamic testing we will locate it and scan the code for duplicate bugs. While this has the same thought behind it as interactive security testing, many of out methods rely on manual steps, product-specific code searching scripts, etc. The idea of trying to automate this is great, but I find a hybrid approach to be less error-prone and more flexible. Then again I never really tried an automated tool for this.

(Joerg) #3


Thanks for your feedback. In the meanwhile I was able to do a proof of concept where I tested twi IAST solutions. It was very easy in both tools to set them up. Include a .jar in the starting routine, run your tests and get impressed by the results. We found security issues we never seen before.

From my experiences:

IAST will change the security testing task from a task to an ongoing monitoring task which also could be done by DevOps/Operations. Integrating the IAST tool into existing defect reporting tools, like Jira and chat channels, like slack, will bring security into the game of a daily task instead of doing “security tests at the end because it needs to be done”.

Also I have learned that there is a solution to have ZERO (!) false positives!

Look for the OWASP Security Benchmark and see that all our activities in web applications have really a problem: We only find <30% of the issues and often we have many, many false positives, especially in the static code analysis area (SAST tools) which meets my experiences.

IAST is really a good thing for security testing.