77 lines
2.1 KiB
Markdown
77 lines
2.1 KiB
Markdown
# IAST (Interactive Application Security Testing)
|
||
|
||
## Definition
|
||
IAST tools evaluate applications while they run to detect security issues that SAST or SCA tools might overlook. They are beneficial during testing and deployment phases when examining how different components interact within the application is important.
|
||
|
||
## Aliases
|
||
- Interactive Application Security Testing
|
||
- Grey-box testing
|
||
- Instrumentation-based testing
|
||
|
||
## Characteristics
|
||
- **运行时分析**:在应用运行时进行监控
|
||
- **灰盒测试**:结合白盒和黑盒方法
|
||
- **精确检测**:能准确定位漏洞位置
|
||
- **低误报率**:基于实际执行分析
|
||
|
||
## How IAST Works
|
||
|
||
### Instrumentation
|
||
IAST 工具在应用中植入代理(Agent):
|
||
- 监控应用执行路径
|
||
- 分析数据流
|
||
- 检测不安全操作
|
||
|
||
### Agent Deployment
|
||
- Web 服务器插件
|
||
- 应用服务器插件
|
||
- 容器环境支持
|
||
- 云函数支持
|
||
|
||
## What IAST Detects
|
||
- 运行时数据流问题
|
||
- API 安全问题
|
||
- 认证/授权问题
|
||
- 配置错误
|
||
- 与 [[SAST]] 和 [[DAST]] 互补的漏洞
|
||
|
||
## Comparison with Other Testing Methods
|
||
|
||
| 维度 | SAST | DAST | IAST |
|
||
|------|------|------|------|
|
||
| **测试方式** | 白盒(静态) | 黑盒(动态) | 灰盒(运行时) |
|
||
| **需要代码** | 是 | 否 | 是(代理) |
|
||
| **误报率** | 中等 | 低 | 低 |
|
||
| **检测范围** | 代码层 | 应用层 | 代码+应用层 |
|
||
| **适用阶段** | 开发 | 测试/部署 | 测试 |
|
||
| **性能影响** | 无 | 中等 | 低-中等 |
|
||
|
||
## Tools
|
||
- Contrast Assess
|
||
- Hdiv
|
||
- Quotium Q360
|
||
- AppCheck
|
||
|
||
## Integration
|
||
IAST 通常集成到:
|
||
- 自动化测试环境
|
||
- QA 测试流程
|
||
- CI/CD 管道(测试阶段)
|
||
- 预生产环境
|
||
|
||
## Advantages
|
||
- 高准确性(低误报)
|
||
- 精确的漏洞定位
|
||
- 不中断开发流程
|
||
- 可用于生产监控
|
||
|
||
## Related Concepts
|
||
- [[DevSecOps]] — IAST 是其重要组件
|
||
- [[SAST]] — 静态应用安全测试
|
||
- [[DAST]] — 动态应用安全测试
|
||
- [[SCA]] — 软件组成分析
|
||
- [[RASP]] — 运行时应用自我保护
|
||
|
||
## Sources
|
||
- [[what-is-devsecops-best-practices-benefits-and-tools]]
|