start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
start portlet menu bar end portlet menu bar
Close
Select Page
Secure DevOps
  | March 31, 2020

Breaking AppSec News: “I Finally Got What IAST For!”

Rob Cuddy
Rob Cuddy
Global Application Security Evangelist
Breaking AppSec News: “I Finally Got What IAST For!”

It wasn’t THAT long ago when prevailing thinking around software applications was to avoid updating them right away when a new version came out.  Particularly if it was the first version of an application.  Why?  Because we all just knew there would be lots of bugs and issues. We figured we would be better off letting them get fixed and waiting for the next update.  Let someone else be the guinea pig. right?

Well, no more! The thinking has completely shifted to consuming updates for applications on an almost daily basis – or even more frequently than that!   Why?  Because we all want the latest and greatest features.  We no longer want to wait 6 months for a new capability because modern software practices (microservices & containers anyone?) allow us to deliver it as soon as it is available.  No more having to wait for every other part of the application to be ready to release!

An Application Reporting On Its’ Vulnerabilities. Really?

But software, when it is released, HAS to be secure.  While no one WANTS to release vulnerable software, a fast-paced world of software development often causes trade-off decisions between speed, quality and resiliency.  In that mode, trying to maintain security can be a daunting challenge.

But, wouldn’t it be great if I could deploy my application to testing, and while it was being tested it could also be monitoring and reporting on vulnerabilities found while teams were using it?  And what if some of the interactions occurring were based on the functional testing that I was already doing?  My QA teams would automatically be helping me find and fix security issues while in context and in scope.  And wouldn’t it also be cool if I could do the same with with a release into production?   I would know right away that issues found were real, and I’d know exactly what was going on when the vulnerability was found.

You’ve asked.  And now HCL AppScan has introduced IAST to its already deep portfolio of application security tools.  And here is why it matters for you.

IAST is Fast – DevOps Fast

The single greatest advantage of IAST is its speed.  When used in conjunction with SAST and DAST, it can give you the best of both worlds.  It’s a perfect fit for DevOps because it is a zero-time analysis.  There is no actual “scanning” occurring.  Instead, the IAST agent is monitoring the application as it is executed by another function (usually functional testing), and it reports back on the security issues that it identifies. And the IAST report yields developer focused results that specifically show the vulnerabilities, along with the line of code and the call stack that was captured.

AppScan IAST+ is Accurate

But it doesn’t matter if your scan is fast if the results you get are not reliable.  Because the analysis is performed on running applications, it can only identify actual executed scenarios.  That means it depends on interactions from a user or an automated test, so naturally you get fewer false positives and fewer false negatives.  Another key advantage for AppScan IAST+ is that it builds upon the vast experience AppScan has with DAST and SAST to improve IAST further. One key example is its ability to evaluate regular expression sanitizers.  Normally, evaluating sanitized functions that use regular expression is extremely difficult, but thanks to our vast DAST knowledge we have been able to incorporate this into AppScan IAST.

AppScan IAST+ Performs

If you are wondering about any potential performance impact on your ongoing development activities, we have good news.  We found that IAST tools that have a < 10% performance impact for Java.  AppScan IAST+ has a less than 4% performance hit for Java and the effect on the application load is insignificant.    Our passive IAST monitors applications during  existing functional (or any other) testing, hence the zero time analysis.  But AppScan IAST+ can also leverage AppScan’s DAST engine to complement functional testing coverage if needed

It’s Part of a Larger Application Security Solution

To be clear, no one is advocating that organizations drop their SAST and DAST initiatives in favor of IAST. With an ever-increasing threat landscape there is a place and need for each of these types of security tests.   AppScan IAST is meant to complement and enhance your security testing. It is much more than a point solution.  It is meant to be part of a comprehensive Application Security Testing suite, and was designed to show your results side by side with your DAST, SAST and SCA findings.   That means the results you receive from AppScan Standard, AppScan Source, AppScan Enterprise and AppScan on Cloud can all be viewed together to give you a more holistic view of your security posture.

And We’re Just Getting Started!

We will continue to work to deliver the best capabilities to market that enable you to have the breadth, depth and speed you need to succeed in modern software development.  Let us know what you’d like to see. We’d love to hear from you.  Our new IAST capabilities are part of the AppScan V10 release. To learn more about this and other great additions, visit my launch blog and see our livestream event replay.

Comment wrap
Rob Cuddy
Rob Cuddy
Global Application Security Evangelist
Rob is currently a Global Application Security Evangelist for HCL providing thought leadership for the application security space, particularly as it relates to DevOps and DevSecOps initiatives. Prior to this role, Rob was with IBM for 14 years with roles in Application Security Evangelism, Worldwide Sales Enablement, Tiger Teams and Field Services for the Management and Platform Segment offerings in IBM Cloud. Rob has worked with clients all over the world to help address their challenges in ways that bring a positive impact to the business bottom line. Rob has spoken at numerous events and conferences, including Evanta CISO Summits, THINK, InterConnect, DevloperConnect, IBM Top Guns and many customer events. Prior to IBM, Rob spent 13 years with 5 different companies working as a configuration management specialist with an emphasis on Rational tooling. Rob graduated from the University of Southern California with a degree in Aerospace Engineering and is an avid fan of college football. When not at work, Rob enjoys spending time with his family, serving with his church, running and cycling. You can connect with Rob through the Application Paranoid podcast, via LinkedIn, Facebook and Instagram but the best way is by joining the “Robservatory” on twitter using the handle @Robservatory.
Read more

Topics in this article:

Application SecurityDevOpsDevSecOpsIAST

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


appscan
Secure DevOps | July 12, 2024
How to Secure Your Open Source: Best Practices for Application Security Testing
Learn best practices for integrating security early in development, conducting regular audits, and continuous monitoring to protect your applications.
Uffe Sorensen
Courtney Coleman
appscan
Secure DevOps | June 26, 2024
Important Announcement: HCL AppScan Plans Licensing Changes to Take Effect June 2025
HCL AppScan announces a 12-month roadmap for enhanced features across all solutions. New licensing model, updated distribution platform, and end-of-support for older versions.
Uffe Sorensen
Ayan Som
Senior Product Manager, HCL AppScan
start portlet menu bar end portlet menu bar