Practical Research of IAST Technology under DevOps Development Model

Journal of Information Security Reserach ›› 2021, Vol. 7 ›› Issue (12): 1198-.

Previous Articles Next Articles

Practical Research of IAST Technology under DevOps Development Model

Online:2021-12-05 Published:2021-12-02

IAST技术在DevOps开发模型下的实践研究

黎曦严敏佳陈中伟田峥李琪瑶封靖川

（国网湖南省电力有限公司信息通信分公司长沙 410000）

通讯作者: 黎曦硕士.主要研究方向为敏捷安全、安全漏洞管理. 9815409@qq.com
作者简介:黎曦硕士.主要研究方向为敏捷安全、安全漏洞管理. 9815409@qq.com 严敏佳硕士.主要研究方向为研发安全. 578629450@qq.com 陈中伟高级工程师.主要研究方向为网络安全管理与技术、监测分析. 303410012@qq.com 田峥高级工程师，博士.主要研究方向为攻防对抗、安全自动化. tiangler@126.com 李琪瑶硕士.主要研究方向为电力监控网络安全. 封靖川主要研究方向为物联网安全. 1178854439@qq.com

Abstract

Abstract: In the modern DevOps (development operations) development model, IAST (interactive application security testing) technology has a significant security effect in the practice of how to embed the security into the R & D test process and how to ensure the security of software R & D in the case of lack of security personnel resources. At the same time, IAST has excellent performance in the vulnerability detection rate and vulnerability false positive rate. IAST can not only solve the general security risks and open source software risks in the process of software R & D, but also find the sensitive and private data leakage problems in Web applications through sensitive data tracking technology. This paper discusses that IAST is a new generation of security testing technology more in line with the concept of DevOps system.

Key words: DevOps, IAST, sensitive data, vulnerability detection rate, vulnerability false positive rate

摘要： 在现代研发运维一体化（development operations，DevOps）开发模型中，在安全如何嵌入研发测试流程以及在安全人员资源缺失的情况下如何保障软件研发安全的实践过程中，交互式应用安全测试（interactive application security testing，IAST）技术有着显著的安全保障效果，同时在漏洞检出率和漏洞误报率方面也有优秀的表现。IAST不仅可以解决软件研发过程中的通用型安全隐患和开源软件风险，还可以通过敏感数据追踪技术发现Web应用存在的敏感及隐私数据泄露问题。从多角度论述了IAST是更符合DevOps体系理念的新一代安全测试技术。

关键词: 研发运维一体化, 交互式应用安全测试, 敏感数据, 漏洞检出率, 漏洞误报率

（国网湖南省电力有限公司信息通信分公司长沙）. Practical Research of IAST Technology under DevOps Development Model[J]. Journal of Information Security Reserach, 2021, 7(12): 1198-.

黎曦严敏佳陈中伟田峥李琪瑶封靖川. IAST技术在DevOps开发模型下的实践研究[J]. 信息安全研究, 2021, 7(12): 1198-.

References

[1] SHIKLO B. Software Development Models: Sliced, Diced and Organized in Charts[EB/OL].(2019-08-11)[2021-08-30].https://www.scnsoft.com/blog/software-development-models

[2] LOTZ M. Waterfall vs. Agile: Which is the Right Development Methodology for Your Project?[EB/OL].（2018-07-05）[2021-09-11].https://www.seguetech.com/waterfall-vs-agile-methodology/

[3] COURTEMANCHE M,MELL E,GILLIS A S. What is DevOps? The ultimate guide[EB/OL].(2020-09-10)[2021-09-11].https://searchitoperations.techtarget.com/definition/DevOps

[4] DECK R .Improving Application Security Through Automated Testing [EB/OL].(2018-06-26)[2021-09-11].https://www.directdefense.com/improving-application-security-automated-testing/

[5] PETERSON J. Application Security Testing: Security Scanning Vs. Runtime Protection[EB/OL].(2020-08-27)[2021-08-30].https://www.whitesourcesoftware.com/resources/blog/ast-application-security-testing

[6]APT-101.洞悉DAST、SAST、IAST -- Web应用安全测试技术对比浅谈[EB/OL].(2020-01-04)[2021-09-11].https://www.cnblogs.com/hack404/p/14229622.html

[7] VELASCO R. What is IAST? All About Interactive Application Security Testing[EB/OL].(2020-05-07)[2021-08-30].https://hdivsecurity.com/bornsecure/what-is-iast-interactive-application-security-testing

[8]VELASCO R. The Difference Between Active IAST and Passive IAST[EB/OL].(2020-08-21)[2021-09-11].https://hdivsecurity.com/bornsecure/what-is-active-iast-and-passive-iast/

[9]悬镜安全. IAST 技术进阶系列（二）：全场景多核驱动[EB/OL].(2021-10-1)[2021-10-02].https://mp.weixin.qq.com/s?__biz=MzA3NzE2ODk1Mg==&mid=2647778424&idx=1&sn=c1798d16dfe6694a9dca4f89ae4636c4&chksm=87736c2fb004e5390560ef8a74b1082e9d4ef90df7dd92aab7d7dfa7c9f3cf13b108c0ac98b2&scene=178&cur_album_id=2069905419921162248#rd

[10]安全牛.一种创新型敏感数据安全技术：互动式应用安全测试(IAST)[EB/OL].(2019-01-18)[2021-09-11].https://www.sohu.com/a/289838096_490113

[11]网安加学院.什么是IAST（交互式应用安全测试）？这是我看过最深刻的解释[EB/OL].(2021-06-26)[2021-09-11].https://baijiahao.baidu.com/s?id=1703602852029549291&wfr=spider&for=pc

[12]李浩：浅谈IAST如何赋能企业开发安全[EB/OL].(2020-08-24)[2021-09-11].https://www.sohu.com/a/411368817_99944114

Practical Research of IAST Technology under DevOps Development Model

IAST技术在DevOps开发模型下的实践研究

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 3

Recommended Articles

Metrics

[1]	. Practice on Operator Sensitive Data Encryption and Decryption Strategy Based on Large Data Environment [J]. Journal of Information Security Research, 2018, 4(5): 447-452.
[2]	. Research and application of full life cycle monitoring of sensitive data flow based on big data platform [J]. Journal of Information Security Research, 2018, 4(2): 145-149.
[3]	. Research and Implementation of Security Management of Data Files [J]. Journal of Information Security Research, 2018, 4(1): 84-90.