The DevSecOps software space continues to evolve as product development teams work to adopt “secure by default” delivery strategies. In February 2022, G2 launched its Interactive Application Security Testing (IAST) Software category to represent a key testing approach.

IAST: SAST and DAST’s youngest sibling

IAST software has been around for about four years, but it still has a lot of room to grow in the market. It joins static application security testing (SAST) and dynamic application security testing (DAST) to form a repertoire from which development teams can tailor the approach that works best for them. While SAST runs security tests without actually executing an application’s code (hence “static”), and DAST uses a black-box testing method to perform tests from outside the application, IAST software allows users to set up automated security analysis that occurs within the application while it’s running.     

IAST software is not a catch-all tool that usurps the likes of SAST and DAST. Instead, it’s best thought of as a complement to one or both of those solutions. DevSecOps, the software delivery strategy which seeks to streamline workflows through continuous development, integration, security, and delivery, requires automation to be successful.

IAST, SAST, and DAST all automate aspects of the software security testing process to help teams achieve security by default, but the approaches they enable differ. A successful DevSecOps strategy requires a combination of security measures that are comprehensive and thorough while also saving time by making security a natural part of the development process.

How does IAST help?

Like SAST, IAST is typically used in the earlier stages of the software development cycle. This means security issues are caught sooner rather than later, saving teams a lot of time and headache.

One of the benefits of a DevSecOps approach is that the more teams can plug security holes as they go, the less they have to go back and redo. Since it monitors applications from within in real time, IAST software also has the potential to be much more efficient than SAST and DAST. When IAST does detect vulnerabilities based on either known compliance requirements or user-defined parameters, it automatically notifies software testers. Beyond notification, IAST software provides remediation suggestions to give developers a jumping-off point as they work to resolve issues.

However, it’s worth noting that IAST software only executed pre-defined points. This means that IAST software users must be thorough when determining which tests should be run and when. IAST’s integration with other test automation tools can supplement this practice, as users can reuse their established testing parameters. In contrast with IAST’s user-defined testing points, SAST analyzes the entirety of the application’s code. With that in mind, SAST has higher coverage than IAS—but it can also produce more false positives when detecting vulnerabilities.

Looking forward

At G2, we’ll continue to update our taxonomy to represent emerging software markets. While the IAST space is not as robust as the SAST and DAST spaces, it’s an important piece of the application security (AppSec) testing puzzle. We expect to see more products added to the category as the DevSecOps space continues to evolve rapidly.