Fluid Attacks’ Interactive Application Security Testing (IAST) is a technique that combines the advantages of the SAST and DAST techniques to enhance the accuracy of security testing. In relation to SAST, we reach coverage of the entire application code, and with regard to DAST, we get confirmation of exploitability. The IAST technique takes both an internal and external look at the running application, identifying exploitable and non-exploitable vulnerabilities and pointing them out in the application code. During the automated and manual testing, working with IAST means continuously analyzing your application, with real-time feedback, covering source code, control and data flows, configurations, and various components’ interactions in your CI, QA or production environment.
These are the benefits of IAST
Unaffected DevOps speed
The integration of the IAST technique into your CI/CD pipelines occurs seamlessly. Vulnerabilities are reported in real time from within your applications, and therefore DevOps speed is preserved in your workflows.
Assessments considering changes
IAST also works on an incremental basis to identify and report new vulnerabilities in the code as your developers modify the application. Early detection of weaknesses facilitates their remediation and saves both time and money.
Minimal rates of false positives
Through an exhaustive manual check, our certified team of ethical hackers can reduce the rates of false positives appearing on automatic IAST to a minimum.
Low rates of false negatives
An IAST technique performed both automatically and manually allows us to guarantee low rates of false negatives, contrary to what can be achieved by companies that depend exclusively on tools.
An element of a comprehensive test
The IAST technique can be complemented by other methods used in Fluid Attacks, such as SAST, DAST, SCA, RE, and Manual Pentesting, to constitute a comprehensive application security testing.