IAST with DAST or IAST instead of DAST

As a company that uses DAST tools, we are intrigued by IAST. Do you see this as a DAST replacement or a complementary tool to add to our existing DAST tools?

Our main concern is we have JAVA application but also a lot of ColdFusion applications we have been maintaining over the past decade.


Love this question and I’m curious to hear what some of the more seasoned Checkmarx vets might think.

Personally I feel like IAST is the evolution of both SAST and DAST. The idea that it’s combining the approaches for a best of both worlds kind of result, like chocolate and peanut butter, makes each better together than apart.

Do I think that people should go ripping out a robust, functioning DAST installation and toolset to jump on the IAST bandwagon? Well no. Not all at once anyway.

IAST by nature is relatively complex to install and configure kind of deployment, and I wouldn’t go ripping out what’s working all at once until you’re comfy with your IAST approach and results.

Do I think many existing DAST shops will evolve towards IAST naturally and potentially replace their DAST stance all together? Yep, I sure do.