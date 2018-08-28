The need for integrated IAST and SCA

According to Verizon’s 2018 Data Breach Investigations Report, web application attacks still remain the most common vector for data breaches. Web applications are the attack surface of choice for hackers attempting to get access to sensitive IP/data and personal data, such as usernames and passwords, credit card numbers, and patient information. Organizations need to ensure that the web applications they develop are secure, ideally before they are deployed in production, and developers need to be able to perform quick fixes when critical vulnerabilities are discovered.

Web applications are seldom composed exclusively of proprietary code. In fact, the converse is usually true, with open source code components ubiquitous in both commercial and internal applications. The 2018 Open Source Security and Risk Analysis (OSSRA) report published by the Synopsys Cybersecurity Research Center (CyRC) found open source components in 96% of 1,100 applications scanned, with an average 257 components per application. Because organizations are often unaware of how much—or even what—open source they’re using, they can inadvertently provide attackers with a target-rich environment when vulnerabilities in open source components are disclosed. Seventy-eight percent of the codebases examined for the OSSRA report contained at least one open source vulnerability, with an average 64 vulnerabilities per codebase.

While development and security teams often use SAST (static application security testing) and SCA solutions to identify security weaknesses and vulnerabilities in their web applications, detection of many vulnerabilities is only possible by dynamically testing the running application, which led to the development of dynamic application security testing (DAST) tools. Despite similarities to traditional DAST and penetration testing tools, IAST is superior to both in finding vulnerabilities earlier in the software development life cycle (SDLC)—when it is easier, faster, and cheaper to fix them. Over time, IAST is likely to displace DAST usage for two reasons: IAST provides significant advantages by returning vulnerability information and remediation guidance rapidly and early in the SDLC, and it can be integrated more easily into CI/CD and DevOps workflows.