Security resources are scarce, and practitioners need guidance in the effective and efficient usage of techniques and tools available in the cybersecurity industry. Two emerging tool types, Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP), have not been thoroughly evaluated against well-established counterparts such as Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). The goal of this research is to aid practitioners in making informed choices about the use of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools through an analysis of their effectiveness and efficiency in comparison with different vulnerability detection and prevention techniques and tools. We apply IAST and RASP on OpenMRS, an open-source Java-based online application. We compare the efficiency and effectiveness of IAST and RASP with techniques applied on OpenMRS in prior work. We measure efficiency and effectiveness in terms of the number and type of vulnerabilities detected and prevented per hour. Our study shows IAST performed relatively well compared to other techniques, performing second-best in both efficiency and effectiveness. IAST detected eight Top-10 OWASP security risks compared to nine by SMPT and seven for EMPT, DAST, and SAST. IAST found more vulnerabilities than SMPT. The efficiency of IAST (2.14 VpH) is second to only EMPT (2.22 VpH). These findings imply that our study benefited from using IAST when conducting black-box security testing. In the context of a large, enterprise-scale web application such as OpenMRS, RASP does not replace vulnerability detection, while IAST is a powerful tool that complements other techniques.

翻译：安全资源稀缺，从业人员需要有效且高效使用网络安全行业现有技术与工具的指导。两种新兴工具类型——交互式应用安全测试（IAST）和运行时应用自我保护（RASP）——尚未与动态应用安全测试（DAST）及静态应用安全测试（SAST）等成熟方案进行全面评估。本研究旨在通过分析IAST及RASP工具在漏洞检测与防御方面的有效性及效率，并与不同漏洞检测防御技术与工具进行对比，帮助从业人员做出明智选择。我们在开源Java在线应用OpenMRS上应用IAST与RASP，并将其效率及效果与先前研究中应用于OpenMRS的其他技术进行比较。我们以每小时检测与防御的漏洞数量及类型作为效率与效果的衡量标准。研究表明：相较于其他技术，IAST表现相对优异，在效率与效果方面均位列第二。IAST检测出8个OWASP十大安全风险，而SMPT、EMPT、DAST及SAST分别检测出9个、7个、7个和7个。IAST发现的漏洞数量超过SMPT。IAST的效率（2.14 VpH）仅次于EMPT（2.22 VpH）。这些发现表明，在开展黑盒安全测试时使用IAST可使研究获益。在OpenMRS这类大型企业级Web应用中，RASP无法替代漏洞检测功能，而IAST是补充其他技术的强大工具。