Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management


Why the difference between SAST, DAST, and IAST matters

Quick Review Of Application Security Testing

When I attend social functions with friends people often ask what I do. I'm never quite sure where to start. "I run a small tech company that helps Java applications run more securely" is probably overkill. "I help keep hackers out of proprietary places" has worked.

But usually, I just default to asking them questions. "How much do you know about computer programming?" or "What field do you work in?" or "Do you know much about writing code?" usually lets me know how much depth I should go into with them.

But because you've stumbled upon our blog, I'm assuming that you know something about computer programming and coding, and that you want to know how to make both more secure to outside and inside threats. So I'm going to talk about DAST and SAST for a moment, then explain why Interactive Application Security Testing (IAST) is going to produce better results in a faster time frame helping you get back to what you do best: writing code. 

DAST (Dynamic Application Security Testing)

DAST tests application's exposed interfaces for vulnerabilities. It's testing from the outside in. The technology has been around awhile, and it is familiar to most people inside of the application security world. DAST is good at finding externally visible vulnerabilities and makes it easy to confirm by providing the URL. The downside of DAST is its heavy reliance on experts to write tests, making it difficult to scale.

SAST (Static Application Security Testing)

SAST technologies analyze the source code or bytecode to help you find threats inside of your code. If you can prevent vulnerabilities in the code before you launch, you'll have stronger code and a more reliable application. Everyone knows that false positives are an issue, but SAST can show you exactly where to find an issue in the code. Like DAST, SAST requires security experts to properly use the tools.

IAST (Interactive Application Security Testing)

According to the research firm Gartner, " modern web and mobile applications require a combination of SAST and DAST techniques...interactive application security testing approaches have emerged that combine static and dynamic techniques to improve testing." That's the bottom line with IAST: It gets better results. That's probably why Gartner recommends IAST for providing greater testing accuracy. Just imagine if you could eliminate 99% of all false-positive results. See why Gartner positioned Contrast as "A Visionary In The Gartner Magic Quadrant For Application Security Testing."


How does Interactive Application Security Testing (IAST) work?

An IAST agent instruments your application and does all of the analysis in real time within your application. This could be done in your IDE, your continuous integration environment, in QA, or even in production. By doing the analysis from within the application itself, the agent has access to:

  • All the code for the application
  • Runtime control and data flow information
  • Configuration information
  • HTTP requests and responses
  • Libraries, frameworks, and other components
  • Backend connection information

Access to all this information allows IAST engines to cover more code, produce more accurate results, and verify a broader range of security rules than either SAST or DAST tools. In addition, IAST agents are easy to install and don't require any application security expertise to use. They simply work better. 

So the question remains: "Which one is best?" or "Which one should I use?" or, ultimately, "If I can only afford one security application tool, which one do I choose?"

To learn more about the advantages of IAST, visit our blog about the 7 Advantages of Interactive Application Security Testing (IAST), or visit our IAST solution page: Contrast Assess.

You can also schedule a demo from a Contrast Assess expert today!


Fell free to watch a short video to see how IAST works and integrates into the SDLC.

Video Thumbnail


Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.


Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook