Tuesday, August 18, 2015

IAST- A new approach for Application security testing

Application Security has been one of the most important aspect of the whole of the Security domain because of the easy accessibility of the resources thereby increasing the threat and attack vectors along the decade.

To make the applications more robust and strong the developers/testers/security testers on the other hand as well have made several efforts to minimize the vulnerable points and make the application more secure.

There were many approaches for testing the application for vulnerabilities. SAST and DAST approach are two known and successful testing procedures which has been followed but both of them have their separate markets and separate pros and cons.

There were talks for combining these two approaches to get the maximum use of them and provide more robust scenarios. This is how IAST approach came into picture.

IAST== DAST+SAST

The approach IAST takes is to start analyzing the application from within as it runs. You can compare it to be like a SECURITY DEBUGGER which looks into code execution in memory, file system access, web service calls, database queries,input validation etc and analyzes whether these events or calls are vulnerable or not which in a way covers all of the run time requests, data-flow, control flow etc..

IAST is further subdivided into two on the basis on how it analyses the problems.

One is Active and the other is Passive.

Passive on the other side is just looking into the application for vulnerable points at run time.False positive ratio is a little higher in this approach as it is very similar to the other testing procedures.

IN active IAST we simulate a really attack scenario on the application by sending malicious traffic and then monitor whether this traffic induces any kind of vulnerable situation. Yes it is very much dependent on the richness of the malicious traffic.

With this approach the analysis of the vulnerability and narrowing down to the exact problem becomes easy and accurate.

The toughest part is the implementing of an IAST as it is complicated than the others. It involves an installation of agents in a strategic way so that the scope is well covered. These agents provide the data to the main server for the analysis. It can also be thought like dividing the whole infra into two wherein one part simulates the malicious traffic and the other monitor and analyzes it.

It does have a lot of advantages like more code coverage, completely automated etc but there are challenges as well which involves on the analysis and instrumentation part.

Do google on this approach and let me know your thoughts :)


No comments:

Post a Comment