Love this question and I’m curious to hear what some of the more seasoned Checkmarx vets might think.
Personally I feel like IAST is the evolution of both SAST and DAST. The idea that it’s combining the approaches for a best of both worlds kind of result, like chocolate and peanut butter, makes each better together than apart.
Do I think that people should go ripping out a robust, functioning DAST installation and toolset to jump on the IAST bandwagon? Well no. Not all at once anyway.
IAST by nature is relatively complex to install and configure kind of deployment, and I wouldn’t go ripping out what’s working all at once until you’re comfy with your IAST approach and results.
Do I think many existing DAST shops will evolve towards IAST naturally and potentially replace their DAST stance all together? Yep, I sure do.