Good Doctor Online's Practice of Integrating and Optimizing Open-Source IAST in Its Security Development Lifecycle

The article begins by describing the background of personal information protection and data security in China following the enactment of the Data Security Law and Personal Information Protection Law in 2021, highlighting the sensitive health data collected by Good Doctor Online.

It then introduces Interactive Application Security Testing (IAST) as a real-time dynamic vulnerability detection technique, explaining why traditional SAST, DAST, manual testing, and code reviews cannot keep up with rapid release cycles.

The advantages of IAST are outlined: higher accuracy, agility, process suitability for early testing, and high coverage, especially for API interfaces.

The selection of the open-source "洞态IAST" (Dotast IAST) is justified by its high accuracy, easy deployment, and fully open-source nature.

Subsequent sections detail the architecture and principles of Dotast IAST, including the lightweight agent, server‑side analysis using value‑matching and taint‑tracking algorithms, and communication via OpenAPI, MySQL, and Redis.

The paper then describes the adaptations required to run Dotast IAST in Good Doctor Online’s container environment: RPC protocol customization to handle a self‑defined Host header, and performance optimizations such as filtering heartbeat and performance‑test requests via a blacklist file and custom HTTP header.

Integration with the existing CI/CD pipeline is explained, including automatic agent packaging via GitLab, version tagging for Jenkins builds, a downgrade switch to disable the agent when needed, and the overall flow from requirements review to vulnerability reporting.

Operational results show that after widespread deployment in the Java test environment, no performance bottlenecks were introduced and several high‑quality vulnerabilities were discovered, with taint flow graphs aiding root‑cause analysis.

Finally, the article outlines future directions for IAST: combining with black‑box tools, further performance optimizations for large applications, enhancing privacy‑sensitive data detection, and reducing false positives through customized rule tuning.