WHITEPAPER | INTERACTIVE APPLICATION SECURITY TESTING (IAST)
INTERACTIVE APPLICATION SECURITY TESTING (IAST)
Interactive application security testing (IAST) is performed inside the application while it runs and
continuously monitors and identifies vulnerabilities. Contrast Security uses aspect-oriented programming
techniques1 to create IAST “sensors” that weave security analysis into an existing application at runtime.
These sensors allow Contrast to extract context, data-flow, and control-flow information from within the
application and provide access to the actual data values passing through the running code. Because
of this wealth of information, Contrast can identify problems that other tools cannot, and achieve an
unprecedented level of accuracy without generating false positives.
For example, Contrast can identify credit card numbers extracted from a database and report when
these credit cards end up exposed in a log file. It can identify a weak encryption algorithm specified
in a properties file, or even data that flows from within an encoded cookie, through a data bean, into a
session store, into a JSF component, and finally into a browser — indicating a Cross-site Scripting (XSS)
weakness. Contrast can also see vulnerabilities spanning custom code, third party libraries, application
frameworks, and the runtime platform itself. Static, dynamic, and even human security analysts have
extreme difficulty finding these types of deep security flaws. Through the creation of Contrast Assess
rules or “sensors” that become part of the organization’s immune system, Contrast makes it possible to
deliver “security as code.” Application security experts can translate their research into new sensors in
Contrast Assess, and deploy them into the development process.
Remember the NSA study?
Contrast correctly identifies 74% of the full suite of test cases in the NSA study, and 98% of those focused on web
application vulnerabilities with ZERO false alarms. This means that Contrast can identify and provide remediation for
vulnerabilities that otherwise may go undetected.
CUSTOM CODE
CONTRAST
ENGINE
LIBRARIES
FRAMEWORKS
DATA FROM
PASSIVE
SENSORS
APPLICATION SERVER
SECURITY
INFORMATION
JAVA RUNTIME
Figure 1. Speed and Accuracy
Contrast’s unique access to information about the application delivers unprecedented levels of speed and
accuracy in identifying vulnerabilities as fast as applications run.
1 https://en.wikipedia.org/wiki/Aspect-oriented_programming. Or, for an easy example of how aspect-oriented programming works, see: http://www.
infoworld.com/article/3040557/application-development/my-two-cents-on-aspect-oriented-programming.html
3
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM
WHITEPAPER | INTERACTIVE APPLICATION SECURITY TESTING (IAST)
APPLICATION SECURITY ANALYTICS AT ENTERPRISE SCALE
Getting great results one application at a time isn’t good enough. To help organizations meet application
security challenges, technology must scale to the entire application portfolio. Contrast brings the power
of intrinsic analysis to hundreds of thousands of applications. In some ways, Contrast is like analysis
platforms New Relic or Google Analytics. Millions of websites use these powerful tools to extract
performance and marketing information from running applications. Both services work by instrumenting
running applications, sending findings to a server, and using that data to create useful reports and
dashboards.
BROWSERS
CONTROLLERS
BUSINESS LOGIC
SERVICES
SPRING MVC
HIBERMATE
USER INTERFACE
WEB SERVICES
JSP
MY STUFF
JSF
MUTUAL FUNDS
SERVLET
ENCRYPTION
WEB SERVER
Figure 2. Easy and Scalable
Since Contrast doesn’t require a compute farm or large scanning engine, it’s easy to add it to all application servers. As applications
are tested and run, Contrast reports critical security information over a secure channel to the Contrast Team Server.
Contrast provides application security analytics by employing a similar model. When Contrast’s security
plugin is installed into application servers, it automatically and invisibly instruments them with simple
passive sensors and a powerful rule engine. Getting up and running typically takes less than five minutes
and requires no enterprise security skills. As applications run normally during quality assurance and testing,
Contrast automatically reports vulnerabilities to the Central Contrast Team Server.
4
Please complete the form to gain access to this content
