Market-defining IAST Testing for Modern Agile & DevOps Methodology
WHITEPAPER | CONTRAST ASSESS
WHAT IS INTERACTIVE APPLICATION SECURITY TESTING?
Analyst firm Gartner has defined the IAST category as follows:
“Interactive application security testing (IAST) uses instrumentation that combines
dynamic application security testing (DAST) and static analysis security testing (SAST)
techniques to increase the accuracy of application security testing. Instrumentation
allows DAST-like confirmation of exploit success and SAST-like coverage of the
application code, and in some cases, allows security self-testing during general
application testing. IAST can be run stand-alone, or as part of a larger AST suite,
typically DAST.”1
How is the Contrast Assess approach to IAST unique?
Gartner’s definition is relatively broad, allowing for a variety of solutions to be classified as an IAST product.
In practical terms, the difference between IAST products is significant.
Specifically, only Contrast Assess addresses the phrase above in bold (emphasis added), which represents
a complete shift in how application security is performed: a product that enables security self-testing during
general testing and eliminates the need for a separate security testing phase. Contrast replaces the pointin-time vulnerability assessment “snapshot” of SAST, DAST and other IAST solutions with a continuous flow
of telemetry about vulnerabilities.
Competing IAST solutions conform to the Gartner definition, but find vulnerabilities using DAST or DAST-like
techniques to simulate attacks against a running application. Organizations using those solutions must
still wait for a separate security testing scan to complete, to receive a snapshot of their application security
status from that scan. This is not a continuous view.
Contrast Assess neither scans nor attacks applications, but uses patented state-of-the-art deep security
instrumentation technology to combine the most effective elements of static and dynamic testing, software
composition and configuration analysis technologies, and deliver them directly into applications.
Contrast Assess performs static analysis before the code starts running – including custom code as well as all code
found in libraries, frameworks, application servers, and the runtime platform – and adds instrumentation to observe
and report on the running code as it executes.
3
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM
WHITEPAPER | CONTRAST ASSESS
How is Contrast Assess Different than SAST?
Traditional SAST solutions attempt to build a model of an application and pseudo-execute it from known
entry points – but SAST is blind to how all the pieces of an application work together and operate at
runtime, and can generate extensive false negatives and false positives. Contrast Assess observes real
data and control flow activity from within a running application, and identifies a much broader range of
vulnerabilities – with greater accuracy – than traditional SAST solutions. Contrast Assess is fully distributed
and infuses each application with a “self-assessment” capability that performs analysis continuously, in
parallel, across an entire portfolio of applications. SAST solutions cannot operate in a distributed manner
because they rely on experts to analyze and triage results, which creates a significant bottleneck.
How is Contrast Assess Different than DAST?
Traditional DAST tools try to exploit the running application with attacks, and detect vulnerabilities by
analyzing HTTP responses – but DAST is blind to what occurs within the application, and provides only
limited coverage of an application. Contrast Assess performs a complete static analysis of all the code,
as described above, and analyzes HTTP traffic and HTTP responses from inside the application. Because
Contrast Assess works from within the application, it also provides more accurate analysis than traditional
Penetration (Pen) Testing tools.
And, unlike either SAST or DAST products, Contrast Assess uses techniques found in Software
Composition Analysis (SCA) tools to build an inventory of all the libraries, frameworks, and microservices
used by the application to identify vulnerabilities across all those components.
4
Please complete the form to gain access to this content