This article examines script injection threats in Java applications and compares static, dynamic, and interactive security testing tools—SAST, DAST, and IAST—highlighting their strengths, weaknesses, and popular options to help developers select the most suitable solution.
This article explores the core principles, strengths, and limitations of four major application security testing approaches—Static (SAST), Dynamic (DAST), Interactive (IAST), and Runtime Application Self‑Protection (RASP)—and compares them in a concise table to guide developers in building a comprehensive security strategy.
This article outlines the background of logic vulnerabilities, compares SAST/IAST/DAST techniques, presents a comprehensive detection architecture with API traffic capture, token collection, fuzzy‑hash response comparison, API deduplication, and discusses challenges such as public API false positives and automation gaps.
This article analyzes common logical vulnerabilities in freight‑related APIs, compares SAST, IAST and DAST approaches, proposes a detection architecture with traffic collection, token handling, fuzzy‑hash comparison and API de‑duplication, and discusses remaining challenges and future improvements.
This article explains the principles of Interactive Application Security Testing (IAST), details the JavaAgent-based agent instrumentation approach, and provides a step‑by‑step guide to building a Java IAST agent using Javassist, custom class loaders, ThreadLocal tracing, and Maven packaging.
As DevOps accelerates software delivery, integrating robust security testing—through static, dynamic, interactive application security testing and software composition analysis—becomes essential, and this article explains the importance, methods, tools, and best practices, including Huawei Cloud’s approach, to ensure comprehensive protection across the development lifecycle.
The article explains the importance of security testing within DevSecOps, outlines key testing methods such as SAST, DAST, IAST, and SCA, discusses penetration testing, and describes Huawei Cloud's comprehensive security testing framework and practices for ensuring software safety in modern development pipelines.
In a detailed interview, XMirror Security founder Zi‑Ya discusses the origins of his team, the core elements of DevSecOps, the innovative code‑vaccine technology combining IAST and RASP, maturity stages of development security in China, and future trends in software‑supply‑chain security.
This article surveys IAST and RASP technologies, detailing Java bytecode instrumentation methods, passive probing techniques, taint analysis algorithms, integration with SkyWalking, and compares their capabilities with SAST and DAST, providing practical implementation guidance and reference resources.
This article details how Good Doctor Online integrated and optimized the open-source IAST tool within its security development lifecycle, covering architecture, performance enhancements, RPC adaptation, CI/CD pipeline integration, and real-world deployment results.
The 2021 China DevOps Landscape Survey, conducted by the Cloud Computing Open Source Industry Alliance with 1,862 valid responses across multiple sectors, reveals that over half of Chinese enterprises have reached comprehensive DevOps maturity, agile development is widespread, DevSecOps adoption exceeds 50%, and IAST tools, especially Xmirror’s LingMai, dominate the security tooling market.
This article describes Ctrip's practical deployment of OpenRASP‑based IAST, outlines the challenges of data pollution caused by traffic replay, and presents a Java bytecode instrumentation solution that intercepts SocketOutputStream writes to prevent dirty data from persisting in databases, caches, and message queues.
The article details Ctrip's DevSecOps challenges and solutions, covering security team structuring, threat modeling, SCA and SAST integration, IAST/DAST architecture, vulnerability management, and the resulting improvements in automated security testing within a high‑frequency CI/CD environment.
