IAST (Interactive Application Security Testing)
What is IAST (Interactive Application Security Testing)?
IAST (Interactive Application Security Testing)Application security testing that instruments a running application from the inside to observe code execution while it is being exercised by traffic or tests.
IAST agents are loaded into the application process (typically via a language runtime hook) and watch data flows, function calls and HTTP requests in real time. By combining the inside view of SAST with the runtime context of DAST, IAST can confirm whether tainted input actually reaches a dangerous sink, which sharply reduces false positives and pinpoints the vulnerable line of code. It is usually run during functional or QA testing rather than against production. IAST works best for instrumented languages such as Java, .NET, Node.js and Python; example tools include Contrast Security, Checkmarx CxIAST and Seeker.
● Examples
- 01
Attaching a Contrast Security agent to a Java service in QA to find XSS during E2E tests.
- 02
Using Seeker to confirm SQL injection in a Node.js API while running Cypress flows.
● Frequently asked questions
What is IAST (Interactive Application Security Testing)?
Application security testing that instruments a running application from the inside to observe code execution while it is being exercised by traffic or tests. It belongs to the Application Security category of cybersecurity.
What does IAST (Interactive Application Security Testing) mean?
Application security testing that instruments a running application from the inside to observe code execution while it is being exercised by traffic or tests.
How do you defend against IAST (Interactive Application Security Testing)?
Defences for IAST (Interactive Application Security Testing) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for IAST (Interactive Application Security Testing)?
Common alternative names include: Interactive analysis, Runtime code analysis.