CI/CD Security Best Practices [Cheat Sheet]

In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response.

What is interactive application security testing (IAST)?

IAST (Interactive Application Security Testing) is a security testing method that monitors applications in real-time during runtime to detect vulnerabilities by analyzing code behavior and data flow in live environments.

Wiz Experts Team
5 minutes read

IAST (Interactive Application Security Testing) is a security testing methodology for identifying vulnerabilities in web applications. It works by monitoring an application in real-time while it is running and actively tested, often during QA or automated testing processes. IAST tools integrate with the application and analyze its behavior and data flow to detect security issues, providing insights on potential vulnerabilities, particularly in the codebase.

If any issues are present, IAST alerts the development team with information on the failing test case, the context of the code location, and the application's state during the test.

Why IAST is important

Development velocity is paramount. Getting out new features and fixing bugs quickly can make or break a project's success. But sacrificing security in the name of development velocity can haunt the development process in the long run. Building secure systems can add extra work, either with long test runs or by burdening developers with false positives that don’t actually lead to security issues in production. Luckily, with interactive application security testing (IAST), there’s a way to identify vulnerabilities without slowing down delivery. 

Let’s take a closer look at IAST, how it works, and why you might want to consider it to keep your systems safe.

How does IAST work?

IAST uses sensor libraries that track how the app behaves while it’s being tested. The process shifts security testing from security teams to development teams by requiring developers to integrate these libraries into the application’s code; using IAST with an unmodified application doesn’t work.

The sensors give IAST access to the application code, data flow, system configuration, components, and network connections, allowing it to track the software's complete behavior while it’s being tested and send alerts if vulnerable behavior is detected.

IAST can run in the DevSecOps pipeline after the compilation step, as the application has to be executed for the tests to work.

How is IAST different from other security testing methods?

Static application security testing (SAST) and dynamic application security testing (DAST) and software composition analysis (SCA) are popular application security testing tools with different strengths and weaknesses. Let’s compare IAST with them to see how it fits into the big picture of security testing.

SAST vs. IAST

DefinitionComparison with IAST
SAST scans source code for suspicious patterns. It’s very fast and can run without compiling or executing an application, enabling it to run inside an IDE, as seen in figure 2.Still, it can’t catch all security vulnerabilities; some are too complex or manifest only in specific security contexts.IAST is slower than SAST because it requires execution for its sensors to work. However, this also gives IAST the context that SAST is missing and allows IAST to report fewer false positives, a major pain point with SAST scanning.
Figure 2: Security scan inside an IDE

IAST vs. DAST

DefinitionComparison with IAST
DAST is a black-box testing method and therefore doesn’t see the code. DAST only executes the application and checks its outputs for vulnerabilities. It’s much slower than SAST but catches different application vulnerabilities.In contrast to IAST, DAST doesn’t require changes to the code, considering it doesn’t use sensor libraries. However, because of the missing sensors, it has less context than IAST and requires many more test cases, which gives IAST a speed advantage over DAST.

IAST vs. SCA

DefinitionComparison with IAST

SCA detects potential security vulnerabilities in your application's third-party source components. It scans the packages you use, checks which have entries in the list of known vulnerabilities, and reports these issues. SCA is a very fast process because it doesn’t evaluate or scan your application code.

In short, SCA only checks if you use dependencies with vulnerabilities. Nonetheless, SCA usually has a high rate of false positives, as it doesn’t check if you use a dependency's vulnerable parts.

SCA is much faster than IAST but only reports vulnerabilities in third-party code. It also tends to have a high rate of false positives.While IAST is slower, it covers your own code and that of third parties. Its sensors ensure that only vulnerabilities in executed code lead to an alert, minimizing false positives.

What are the benefits and limitations of IAST?

While IAST might sound like a better alternative to SAST and DAST, it isn’t the perfect solution for all security problems. Let’s explore its benefits and limitations to understand its applicability better.

IAST’s benefits

  • Automation: As with other security testing methods, you can automate the IAST process and integrate it into a CI/CD pipeline to ensure it’s always executed before new code is deployed to production. 

  • Complete coverage at runtime: IAST sensors keep track of the whole application at runtime. This means they cover the behavior of your own code and the code in third-party libraries. IAST will report if anything makes a network request or accesses a specific location.

  • Transparency: The sensors give IAST access to the execution context, like a debugger. This enables IAST to link vulnerabilities to specific sections in the source code, making it easier for developers to locate and fix them.

  • Feedback in real time: Suppose a test is conducted by a human and not automatically in a CI/CD pipeline. In that case, IAST can give real-time feedback by alerting the tester about potential vulnerabilities when a sensor detects them.

  • Production use cases: The execution requirement of IAST can also be a benefit, as it enables developers to reproduce issues mentioned in bug reports and test them with runtime sensors. 

IAST’s limitations

  • Lack of universal support for programming languages: The biggest limitation of IAST tools is that they’re programming language–dependent. As you must install the sensor libraries to give IAST the context it requires, you’re out of luck if your programming language of choice isn’t supported by an IAST tool. Unless you use a popular programming language, IAST simply isn't an option.

  • Feedback late in the SDLC: IAST requires the application to be compiled and executed to run later in the software development lifecycle, making its feedback much slower than security scanners that work directly with the source code. IAST can’t give a developer feedback inside an IDE while implementing a feature.

  • High-effort implementation: The integration effort for IAST is much higher than that of SAST or DAST because it requires installing and setting the sensor libraries. SAST or DAST can test the application as-is without any changes.

  • False negatives: Since IAST sensors only track code that is executed, they won’t catch issues with code that doesn’t run in the tests. This increases the risk of false negatives in big code bases that are harder to test.

  • High costs: Compiling and executing code for testing is much more expensive than simply running SAST, which just scans code as-is. Also, the real time information from IAST sensors doesn’t come for free, either.

Summary

IAST is a powerful addition to the application security testing ecosystem. False positives and long-running testing suites are huge problems for development velocity, and IAST addresses these issues. In contrast to SAST and SCA, IAST sensors ensure that only the vulnerabilities in the executed code raise alerts. This lowers the rate of false positives because issues in dead code are ignored. The sensors also add context missing in DAST, turning it from a black-box to a grey-box testing method with insights into the runtime environment. More context allows for covering a bigger number of vulnerabilities with fewer tests than DAST.

Wiz Code + IAST

Wiz Code offers capabilities to ingest and integrate findings from various application security testing tools, including IAST. Wiz Code’s ability to ingest IAST findings is designed to enhance its comprehensive cloud-native application protection. 

By integrating IAST results, Wiz Code can bring runtime vulnerability insights directly into its platform, allowing for a more thorough view of potential risks in applications running in cloud environments.

Here's how users can benefit from ingesting IAST findings into Wiz Code:

  • Enhanced Detection in Pre-Production Environments: IAST findings focus on runtime vulnerabilities in applications during pre-production or QA testing—not in live production. By integrating IAST results into Wiz Code, users can uncover vulnerabilities that manifest under realistic runtime conditions, such as injection flaws or misconfigurations in application logic, before they ever reach production. This preemptive insight helps prevent issues that could otherwise lead to costly or disruptive vulnerabilities in live environments.

  • Comprehensive View Beyond Application-Level Vulnerabilities: While IAST findings target application-level vulnerabilities in isolation from cloud infrastructure or workloads, Wiz Code completes the picture by correlating these findings with insights from Wiz Cloud. This broader perspective helps users see how application issues may interact with underlying cloud components, providing a full-stack view that aligns with comprehensive cloud security.

  • Precision Through Security Graph Ingestion: IAST findings typically connect vulnerabilities to specific lines of code, similar to static application security testing (SAST). By mapping these findings in Wiz Code’s Security Graph, users gain pinpoint accuracy in identifying and addressing vulnerabilities directly within the codebase. Meanwhile, Wiz Cloud offers additional security intelligence, providing context on how these application-level issues might impact or relate to the cloud environment.

With IAST ingestion in Wiz, users benefit from targeted insights into application vulnerabilities in pre-production, enhanced by Wiz Cloud’s end-to-end visibility across both the application and cloud infrastructure. Want to see Wiz Code in action? Get a demo to see how starting secure in code helps you stay secure in the cloud.

Secure your cloud from code to production

Learn why CISOs at the fastest growing companies trust Wiz to accelerate secure cloud development.

Get a demo 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.