Skip to main content

The intersection between IAST and SCA and why you need both in your security toolkit

(Image credit: Image source: Shutterstock/niroworld)

Two powerful yet relatively new technologies in application security testing are Interactive Application Security Testing (IAST), and Software Composition Analysis (SCA). IAST solutions are designed to help organizations identify and manage security risks associated with vulnerabilities discovered in running web applications using dynamic testing (aka runtime testing) techniques. 

SCA, a term coined by market analysts, describes an automated process to identify open source components in a codebase. Once a component is identified it becomes possible to map that component to known security disclosures and determine whether multiple versions are present within an application. SCA also helps identify whether the age of the component might present maintenance issues. While not strictly a security consideration, SCA also facilitates legal compliance related to those open source components. 

The Need for Integrated IAST and SCA

According to the 2018 Verizon Data Breach Investigations Report (opens in new tab), web application attacks still remain the most common vector for data breaches. Web applications are the attack surface of choice for hackers attempting to get access to sensitive IP/data and personal data, such as usernames and passwords, credit card numbers, and patient information. Organizations need to ensure that the web applications they develop are secure, ideally before they are deployed in production, and developers need to be able to perform quick fixes when critical vulnerabilities are discovered.

Web applications are seldom composed exclusively of proprietary code. In fact, the converse is usually true, with open source code components ubiquitous in both commercial and internal applications. The 2018 Open Source Security and Risk Analysis (opens in new tab) (OSSRA) report published by the Synopsys Center for Open Source Research & Innovation found open source components in 96% of 1,100 applications scanned, with an average 257 components per application. Because organizations are often unaware of how much—or even what—open source they’re using, they can inadvertently provide attackers with a target-rich environment when vulnerabilities in open source components are disclosed. Seventy-eight percent of the codebases examined for the OSSRA report contained at least one open source vulnerability, with an average 64 vulnerabilities per codebase. 

While development and security teams often use SAST (static application security testing) and SCA solutions to identify security weaknesses and vulnerabilities in their web applications, detection of many vulnerabilities is only possible by dynamically testing the running application, which led to the development of dynamic application security testing (DAST) tools.  Despite similarities to traditional DAST and penetration testing tools, IAST is superior to both in finding vulnerabilities earlier in the SDLC—when it is easier, faster, and cheaper to fix them. Over time, IAST is likely to displace DAST usage for two reasons: IAST provides significant advantages by returning vulnerability information and remediation guidance rapidly and early in the SDLC, and it can be integrated more easily into CI/CD and DevOps workflows. 

Shifting Left in the SDLC

IAST generally takes place during the test/QA stage of the software development life cycle (SDLC). With IAST effectively shifting testing left, problems can be caught earlier in the development cycle, reducing remediation costs and release delays. The latest-generation IAST tools return results as soon as changed code is recompiled and the running app retested. By focusing testing on a narrow set of changes, developers can quickly identify vulnerabilities even earlier in the development process.

IAST does analysis from within applications and has access to application code, runtime control and dataflow information, memory and stack trace information, network requests and responses, and libraries, frameworks, and other components (via integration with an SCA tool). The analysis allows developers to not only pinpoint the source of an identified vulnerability but also to address it quickly.

What to Look for in an IAST tool

IAST tools are dependent upon their ability to instrument code, which means their capabilities are dependent upon the application’s programming language. You’ll want to select an IAST tool that can perform code reviews of applications written in the programming languages you use and that is compatible with the underlying framework used by your software. Obviously, it should deploy quickly and easily, with seamless integration into CI/CD workflows. Compatibility with any type of test method—existing automation tests, manual QA/dev tests, automated web crawlers, unit testing, etc. is another feature to look for.  

The best IAST tools provide DevOps teams with the ability to both identify security vulnerabilities and also inform as to whether that vulnerability can be exploited. Any modern IAST tool should include web APIs that enable DevOps leads to integrate testing into continuous integration builds like those using Jenkins. Native integration with defect management tools like Atlassian Jira provides for streamlined defect management workflow. 

With the prevalence of open source code in today’s software, effective IAST tools need to be aware of the open source composition of the applications being tested. Open source compositional analysis is the responsibility of an SCA tool. This requires the SCA tool to have a deep understanding of open source development paradigms and produce a comprehensive inventory for the open source dependencies regardless of how the dependency is linked into the application. 

Understanding whether an open source vulnerability is exploitable within a given application requires an understanding of whether the vulnerable component is present, how an exploit of the vulnerability operates, and an understanding of how the application uses the component. Only a combination of top-tier IAST and SCA tools can effectively identify this class of software risk and guide developers to resolution. An integrated IAST and SCA solution helps development teams build more secure software, minimize risks while maximizing their speed and productivity, and improve the quality of their software.  

Tim Mackey, Technical Evangelist at Synopsys (opens in new tab) 

Image Credit: Niroworld / Shutterstock

Tim Mackey
Principal Security Strategist at Synopsys CyRC

Tim Mackey is a Principal Security Strategist within the Synopsys CyRC (Cybersecurity Research Center). He joined Synopsys as part of the Black Duck Software acquisition where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA. Tim is also an O'Reilly Media published author.