HCL AppScan IAST

The Interactive (IAST) technology uses an agent deployed on the web server of the tested application to monitor traffic sent during runtime, and report vulnerabilities it finds. Unlike DAST (Dynamic Analysis) scans, an IAST monitoring session doesn't generate its own traffic, but monitors your system tests, or manual exploring, or traffic sent during a DAST Scan. So you can have ongoing identification of runtime issues without the need to send dedicated test requests.

Whereas a DAST scan sees the application as a "black box", the IAST agent sees "inside" the box, enabling it to provide greater detail about vulnerabilities such as: the location of the vulnerability in the code, the URL, and the specific vulnerable entity (such as parameter, header, or cookie), while SAST would provide the location only, and DAST the URL and entity only.

When you install the IAST Agent on your web server and start an IAST Monitoring Session, the agent monitors traffic (requests, call stack, variables and so on) sent to the application, and reports to ASoC on the vulnerabilities it finds. Unlike DAST scans, an IAST session can run indefinitely.

You can set up the IAST agent that communicates with ASoC either through the UI or through the REST API.

Deployment

1. Generate a key for the Node.js agent (through the UI or API).

2. On your web server:

   1. Add environment variable: IAST_ACCESS_TOKEN: [key]

   2. Open the command prompt and run: npm install --save @hclsoftware/secagent

   3. Edit package.json by locating the start script, e.g.:

      "start": "node index.js",

      and changing it to this:

      "start": "node -r @hclsoftware/secagent/src/Iast.js index.js",

3. Start your application using npm start

For additional information, see IAST Documentation.

Sample automation scripts

Two sample Python scripts and a Python library, to facilitate automation when working with IAST, can be found here: https://github.com/hclproducts/asoc_automation_iast