Protect against Log4J without patching
Learn More
Protect against Log4J without patching
Learn More

UncategorizedGetting IAST Results from DAST Testing | Web Application Security


October 29, 2020 Timothy Chiu, VP of Marketing
Getting IAST Results from DAST Testing

IAST (Interactive Application Security Testing) is the latest buzzword in security testing for applications during development.  IAST differs from SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing), in that IAST uses an agent directly on the application server to observe the application as it’s running, which has visibility to report additional detail on the vulnerabilities that are discovered.  SAST and DAST came first in application testing and have limitations in terms of visibility and ability to detect vulnerabilities in the application being tested.

IAST is getting new found attention recently due to the recent finalization of the National Institute of Standard and Technology (NIST)’s SP800-53 Revision 5 update, that includes the requirement to add IAST to the policy and security frameworks being used by federal government.  NIST is recognizing the need for better security for applications, and that starts with finding more vulnerabilities during security testing in development.  By requiring IAST, organizations, will get better results from their security testing with the increased visibility provided by IAST solutions.

For organizations that want an easy way to get IAST results using their existing DAST testing tools, they can now do this with no changes to the testing methodology or testing tools.  By adding the K2 Security Platform agent to the application server under test, K2 can provide IAST results by giving the visibility to the tested applications that DAST testing tools are missing.  By pairing K2 with an existing DAST tool, K2 can corroborate the DAST tool’s results, while at the same time providing additional details, including the filename containing the vulnerability and the line number within the file that contains the vulnerable code.  In addition K2 can also find and report on additional vulnerabilities with the added visibility into the application that the DAST tool may miss.

By adding an agent on the application server, organizations can get IAST results from their existing DAST tools, without having to learn and implement an IAST tool.  K2 Cyber Security is a great addition for adding visibility into the threats discovered by penetration and security testing tools in pre-production and can also find additional vulnerabilities during testing that testing tools may have missed.  K2 can pinpoint the exact location of the discovered vulnerability in the code.  When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.

Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution and get IAST results from your DAST testing today.

Find out more about K2 today by requesting a demo, or get your free trial.



Share this

Leave a Reply

Your email address will not be published. Required fields are marked *


K2 Cyber Security delivers the Next Generation Application Security Platform to secure web applications and container workloads against sophisticated attacks in OWASP Top 10 and provides exploitable vulnerability detection during pre-production. K2’s Platform is deployed on production servers for runtime protection of applications and on pen-testing/pre-production/QA servers for interactive application security testing to identify the location of the vulnerable code. K2’s solution generates almost no false positives, eliminates breaches due to zero-day attacks, detects attacks missed by traditional security tools like Web Application Firewalls and host based EDR, finds missed exploitable vulnerabilities and dramatically reduces security cost. K2 Cyber Security is headquartered in the USA and provides cyber security solutions globally.


K2 Cyber Security, Inc.

2580 N. First Street, #130

San Jose, CA 95131