Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

New NIST Standards on IAST and RASP Deliver State-of-the-Art AppSec

By Jeff Williams
cybersecurity
June 19, 2020

The world is changing faster than ever before. Technology is the primary instigator, turning the dial up to hyper speed and catapulting businesses into rapid digital transformation in order to maintain a needed competitive edge. As enterprises charge forward with digital innovation, more sensitive applications and workloads are inevitably making their way to the cloud.

Along with myriad benefits, Agile and DevOps also pose higher risks, which are exacerbated by a threat landscape that continues to evolve at breakneck speed. Traditional application security (AppSec) approaches simply cannot keep pace with the speed of modern Agile and DevOps. Constant security scans slow release cycles and increase developer inefficiencies. Overwhelming volumes of false positives consume valuable time, while false negatives create a false sense of security and ratchet up risks. And these problems extend across the software development life cycle—from development to production runtime. Suddenly, in the face of these challenges, the business outcomes of digital transformation initiatives shrink.

 

NIST Standards Bolster Secure Digital Initiatives

In response to these issues, the National Institute of Standards and Technology (NIST) released a revision to Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Revision 5. Those responsible for application security need to capitalize on two new standards that address interactive application security testing (IAST) and runtime application self-protection (RASP). 

A critical enabler of both the IAST and RASP standards is security instrumentation, where AppSec telemetry is generated by microsensors embedded within the software. The following synopsis from each standard best summarizes the requirements:

  • SA-11(9): “Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.”
  • SI-7(17): “Implement [Assignment: organization-defined controls] for application self-protection at runtime.”

These new standards are certain to have a significant impact across all industries. The NIST Cybersecurity Framework is quickly becoming the default standard in the United States, with all federal government agencies mandated to comply with NIST and many state and local governments following suit. And the private sector is not far behind: Half of U.S. businesses will comply with NIST by the end of this year.

 

Getting Started with IAST and RASP

So, what is IAST and what can organizations do to meet the IAST requirement in NIST? IAST leverages security instrumentation that resides inside applications to observe applications while they run (whether in development, test, or production environments). Able to directly access code, user interaction, libraries, frameworks, back-end connections, and configurations to measure control effectiveness, IAST is able to identify a broad range of potential vulnerabilities continuously and in real time.

Deploying IAST is easy and fast. Developers simply need to add the IAST agent to their application. The IAST solution automates the identification of vulnerabilities, which developers can fix as part of the process of writing code. There are no development disruptions for code scans. In addition, the alert noise—generated by false positives—of traditional security scanning tools is eliminated due to the instrumentation approach of IAST.

Like IAST, RASP also leverages security instrumentation and can even be combined in the same agent as IAST. RASP is also fast and easy to use, as opposed to perimeter defenses (web application firewalls). Security and development teams simply add the RASP agent to applications running in their production runtime environment. RASP then continuously monitors application inputs and  confirms exploitability. This includes the detection and prevention of both known and unknown (zero-day) threats at the point of the vulnerability. When a threat is detected, RASP prevents exploitation and takes other actions such as sending a warning message to the user, terminating a user’s session, terminating the application, or sending an alert to the SecOps team.

As security instrumentation is pivotal to both IAST and RASP, it enables a comprehensive approach to AppSec that starts in development and extends into production runtime. Security instrumentation eliminates development delays connected to security scans and false positives that incur significant inefficiencies. This “inside-out” approach also reduces risk by enabling teams to quickly address vulnerabilities that matter and respond to attacks by preventing vulnerabilities from being exploited in real time.

 

Modern Agile and DevOps Demand a Different AppSec Approach 

Modern Agile and DevOps are measured in terms of velocity and the value they add. AppSec must enable rather than inhibit these outcomes. Because they require significant work by experts, it is impossible for traditional “outside-in” AppSec approaches that rely on signature-based models and scanning to match the pace of the digital business. A complete paradigm shift is necessitated, and just as instrumentation has transformed other areas of software development such as application performance monitoring (APM), it holds the keys to success for AppSec.

AppSec must be approached from inside the software—and this is what security instrumentation enables. This inside-out approach is continuous and is real-time security, as opposed to traditional AppSec that takes an outside-in approach that only provides point-in-time security views. The new NIST standards for IAST and RASP are a testament that outside-in AppSec approaches are antiquated, inefficient,and ineffective. Security instrumentation is more than a paradigm shift of the future—it is an opportunity for today.

KEYWORDS: application security cyber security information security NIST standards

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jeff williams

Jeff Williams is a pioneer in application security and has more than 20 years of experience in software development and security. He is the co-founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure. Williams is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff holds a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • software code on computer

    Modernizing application security to retool DevSecOps

    See More
  • API security

    How to build more secure APIs

    See More
  • Gordmans deploys state-of-the-art surveillance solution, while keeping a close eye on budget

    See More

Related Products

See More Products
  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!