1 views collected around this technical thread.
This article explains the principles of Interactive Application Security Testing (IAST), details the JavaAgent-based agent instrumentation approach, and provides a step‑by‑step guide to building a Java IAST agent using Javassist, custom class loaders, ThreadLocal tracing, and Maven packaging.
The article explains the importance of security testing within DevSecOps, outlines key testing methods such as SAST, DAST, IAST, and SCA, discusses penetration testing, and describes Huawei Cloud's comprehensive security testing framework and practices for ensuring software safety in modern development pipelines.
In a detailed interview, XMirror Security founder Zi‑Ya discusses the origins of his team, the core elements of DevSecOps, the innovative code‑vaccine technology combining IAST and RASP, maturity stages of development security in China, and future trends in software‑supply‑chain security.
This article surveys IAST and RASP technologies, detailing Java bytecode instrumentation methods, passive probing techniques, taint analysis algorithms, integration with SkyWalking, and compares their capabilities with SAST and DAST, providing practical implementation guidance and reference resources.
This article details how Good Doctor Online integrated and optimized the open-source IAST tool within its security development lifecycle, covering architecture, performance enhancements, RPC adaptation, CI/CD pipeline integration, and real-world deployment results.
The 2021 China DevOps Landscape Survey, conducted by the Cloud Computing Open Source Industry Alliance with 1,862 valid responses across multiple sectors, reveals that over half of Chinese enterprises have reached comprehensive DevOps maturity, agile development is widespread, DevSecOps adoption exceeds 50%, and IAST tools, especially Xmirror’s LingMai, dominate the security tooling market.
This article describes Ctrip's practical deployment of OpenRASP‑based IAST, outlines the challenges of data pollution caused by traffic replay, and presents a Java bytecode instrumentation solution that intercepts SocketOutputStream writes to prevent dirty data from persisting in databases, caches, and message queues.
The article details Ctrip's DevSecOps challenges and solutions, covering security team structuring, threat modeling, SCA and SAST integration, IAST/DAST architecture, vulnerability management, and the resulting improvements in automated security testing within a high‑frequency CI/CD environment.