As a longtime innovator of automated mobile appsec testing software and services, NowSecure continues to embrace emerging technology by delivering the world’s first Interactive Application Security Testing (IAST) technology purpose-built for mobile apps. This advancement provides security analysts and app developers with greater visibility into app vulnerabilities and privacy issues in Agile and DevSecOps scenarios.
Sometimes called DAST 2.0 or the next generation of DAST, IAST inserts instrumentation into a mobile app to capture telemetry as the app runs to enable deeper testing coverage to uncover more issues with near zero false positives. Like instrumentation in a modern race car, NowSecure IAST delivers a plethora of security, privacy and data telemetry that enables much better understanding of mobile app performance and risk. A handful of web application security testing vendors pioneered IAST over the past few years, and NowSecure invested to bring this forward-leaning enhancement to the mobile application security market.
The NowSecure testing engine uniquely combines IAST, Dynamic Application Security Testing (DAST), and Static Application Security Testing (SAST). DAST instrumentation hooks at the mobile OS kernel level to drive external attack scenarios and analyze how an app interacts with the device, network and backend APIs from the “outside in.” IAST instruments an app from the “inside out” to inspect the app, data and control flows. And rounding out the trifecta, SAST instrumentation tests an app binary post-compilation to discover vulnerabilities in third-party libraries, frameworks, configuration and permissions. Only NowSecure delivers these capabilities in one unified mobile appsec testing platform.
Our leading-edge approach combines the best of all worlds with static, dynamic, and interactive analysis designed and built specifically for mobile apps. In particular, DAST and IAST are complementary technologies that offer a “yin and yang” perspective of mobile app security. DAST examines how an app interacts with the world around it. Sample DAST findings include certificate/hostname verification, man-in-the-middle attacks, sensitive data over HTTP or sensitive data in log files, to name just a few. Conversely, IAST looks at an app from the inside out. Sample IAST findings include word readable/writable, cookie issues and sensitive data stored to local files and more. NowSecure has an extensive list of hundreds of validated tests that continues to grow as mobile technology evolves, while ensuring high accuracy and near zero false positives.
NowSecure delivers an “Active IAST” solution that combines DAST + IAST in a single test engine built from our pen testers’ attack experience. Security teams can have the confidence that they get the best security and privacy analysis of any fully automated test system. Dev and DevOps teams benefit from IAST capabilities simply by running the NowSecure solution in the dev pipeline integrated into their CI/CD system with no additional interface to configure or learn.
NowSecure continues to further mobile application security advances, from writing the first books on mobile forensics to developing the first mobile binary scanners to delivering the first automated test rigs in the cloud, to name a few. This latest NowSecure IAST innovation comes from our world-renowned expert security research team, which includes the creators of the Frida and Radare advanced open-source security testing tools. We are proud that NowSecure was recently recognized by IDC as an IDC MarketScape Market Leader.
See the powerful combination of IAST, DAST and SAST analysis in action to vet mobile app security, privacy and compliance posture — get a demo today.