What is SAST vs DAST in application security?
D4 ยท Operations ยท CompTIA Security+ SY0-701SAST (Static Application Security Testing) analyzes source code, bytecode, or binaries without executing the application โ finding vulnerabilities early in the development process.
DAST (Dynamic Application Security Testing) tests a running application by sending inputs and analyzing responses โ simulating an external attacker's perspective.
DAST (Dynamic Application Security Testing) tests a running application by sending inputs and analyzing responses โ simulating an external attacker's perspective.
| Feature | SAST | DAST |
|---|---|---|
| When | Early (code review) | Later (testing/staging) |
| Access needed | Source code | Running app |
| False positives | Higher | Lower |
| Finds | Code-level flaws | Runtime/config issues |
SAST = white box (source code access). DAST = black box (running app). IAST (Interactive AST) combines both โ instruments the running app while testing. RASP (Runtime Application Self-Protection) monitors and blocks attacks in real time. Use all three for comprehensive coverage.