How effective are IAST tools at finding vulnerabilities?
HP WIRT, Acunetix with Acusensor, Contrast Security, Quotium, and Appscan Enterprise can find more vulnerabilities when they are in the best-fit scenario. Yes, I have used Contrast Security and WIRT to find vulnerabilities faster than without the SAST-side capabilities (note that WIRT gives feedback to both WebInspect in-tool via the SecurityScope hooks as well as makes Fortify merge-capable with the SecurityScope log output), but I would (and have) only utilize their capabilities when targeting JEE apps. For Acusensor, you get even less results and only against PHP apps. Quotium and Appscan Enterprise don't necessarily add more value to .NET, JEE, or any other languages I've run across -- but they certainly have their niches there as well, under the right set and setting.
HP WIRT/SecScope vs. JEE: 9/10
Contrast Security vs. JEE: 9.5/10
Acusensor vs. PHP: 6/10
Quotium or Appscan benefits: 7 or 8 out of 10
HP WIRT vs. ASP.NET: 8.5 out of 10
Is there any evidence that these can find more or less than a black
box application pen test (DAST) or by source code review (SAST)?
There is absolutely conclusive evidence of this, especially given the time and resource constraints put on any given DAST assessment. Let me be a vocal giant when it comes to this topic: IAST, whether strict (Contrast, Quotium) or loosely-defined (WIRT/SecScope, et al) are enormous aids when configuring fault-injection test cases after a hybrid brain-tool code understanding (which normally involves -- at the very least -- walking and crawling the app's execution flow).
In the case of WIRT/SecScope, I was able to configure and find vulnerabilities that I definitely would have missed in several scenarios -- against JEE and .NET apps, especially apps that were over 20 MLOC with tons of complexity, and especially when they included Web Services that were SOAP and/or REST interfaces.
Personally, I wouldn't even touch an assessment against JEE, .NET, or PHP built apps without considering IAST as a primary, first-run approach. It saves so much time and provides so much focus.
Comparing SAST to IAST: IAST is faster than SAST and provides focus to the risk management. Even with only one IAST finding that SAST may or may not future-find, this can be of enormous value when looking at control-set gap analyses or similar risk-management problems. The fact that a security bug was found with IAST makes a software weakness uniquely positioned for higher prioritization. Additionally, IAST findings, when combined with SAST findings (especially custom rules-based) are amazing time savers when it comes to further customization of views, understanding of code, design of code, and combining of resources.
Comparing DAST to IAST: In my hands, IAST will simply find more, and understand the vulnerabilities deeper which probably will lead to exploitation or exploit chaining easier/faster as well.
In summary: use IAST whenever possible, as early as possible, and provide IAST artifacts to future SAST (and customized SAST) assessments.