Applications that are deployed to production are subject to attacks that exploit vulnerabilities. Many vulnerabilities can be identified and corrected prior to product deployment by running security scans on the source code (SAST) or on exposed interfaces (DAST).
Some vulnerabilities, however, cannot be identified by standalone static or dynamic application testing. This is where interactive security application testing comes in.
IAST works through software instrumentation, or the use of instruments to monitor an application as it runs and gather information about what it does and how it performs. IAST solutions instrument applications by deploying agents in running applications and continuously analyzing all application interactions initiated by manual tests, automated tests, or a combination of both to identify vulnerabilities in real time.* IAST can detect more vulnerabilities than SAST or DAST because the agent has visibility into:
While IAST is similar to Runtime Application Self-Protection Security (RASP), the key difference is that IAST is focused on identifying vulnerabilities within the application and RASPs are focused protecting against cybersecurity attacks that may take advantages of those vulnerabilities or other attack vectors.