IAST for ZAP

[Viswanath Srinivasan Ch]

Hello Simon,

As you might have heard by now, the concept of IAST is rapidly emerging in the field of application security. People are trying to prove that SAST & DAST are more costly, time-consuming, and outdated and are doing a whistle-blowing to the world that next generation must follow IAST.

 

IAST tools in the market (that I realize):

a.      Quotium Seeker (http://www.quotium.com/resources/interactive-application-security-testing/)

b.      HP Web Inspect Real-Time (http://www.ndm.net/sast/hp-webinspect-real-time)

 

I noticed that OWASP AppSecUSA 2012 conference was trying to promote this concept.

 

Reference:

[1] http://www.marketwatch.com/story/interactive-application-security-testing-iast-named-by-gartner-analysts-in-top-10-technologies-for-information-security-in-2014-2014-07-01

[2] http://www1.contrastsecurity.com/blog/9-reasons-why-interactive-tools-are-better-than-static-or-dynamic-tools-regarding-application-security

[3] http://security.stackexchange.com/questions/54865/effectiveness-of-interactive-application-security-testing

[4] http://www.infosecurityeurope.com/__novadocuments/24379

[5] https://www.youtube.com/watch?v=sUNsPBb6NPA

 

How do you see ZAP progressing in IAST concept?

Thanks in advance for your answer.

Regards.

[kingthorin+owaspzap]

Has anyone out there ever actually used an IAST solution? I know IBM AppScan has had a "Glassbox" agent for quite a while to support this type of thing but I've never had an opportunity to actually use it.

[Stephen de Vries]

Has anyone out there ever actually used an IAST solution? I know IBM AppScan has had a "Glassbox" agent for quite a while to support this type of thing but I've never had an opportunity to actually use it.

I briefly tried Contrast for Eclipse which has a free download: http://www1.contrastsecurity.com/eclipse

It easily found obvious XSS and SQLi in a vuln java app… which is to be expected.  But I don’t recall how it did on other vulnerability classes.

[psiinon]

Hi Viswanath :)

I currently dont have any plans for IAST, but I'd be very interested to hear what everyone here thinks we should be doing about it :)

My initial thoughts are that it would involve a whole load of different technologies, which may well not fit in well with the current ZAP project.
And we've still got our work cut out with dynamic scanning + manual webapp testing - expanding to be a full IAST solution could well be too much for us?

However I could definitely see ZAP playing the DAST part in a larger IAST solution (if I've got the concepts right), so I'd be v interested to talk to anyone planning something like that.

What does everyone else think?

Thanks for raising this - its exactly the sort of thing this forum is for!

Simon

[Viswanath Srinivasan Ch]

Yes, I have tried the Glassbox, but I don't know how it links with IAST concept.

Glassbox agent was sitting on application server (WebLogic or WebSphere) and after it is connected to the AppScan, it was sending some vulnerabilities from server side to the client side.

But I had hard time to install Glassbox on production systems. So couldn't progress on it much...

[Viswanath Srinivasan Ch]

Thanks for the reply Simon.

Indeed, it is a unclear at this stage on what exactly to do on ZAP for IAST. 

We can keep the thread open, in case we notice that industry is really moving towards it...

For now, the combination of SAST and DAST tools are still ruling...

Regards.

[psiinon]

I think ZAP can be an ideal platform for exploring different possibilities - its open source, has a significant amount of existing functionality and is very plugable.
So if anyone fancies playing around with IAST and ZAP then post to this thread :D