What is SAST & DAST ?

SAST stands for Static Application Security Testing and DAST stands for Dynamic Application Security Testing. Both SAST and DAST are methods for testing security vulnerabilities and they’re used in different ways.

SAST (Static Application Security Testing)

SAST is a White Box security testing approach where the tester has access to the underlying framework, design, and implementation. Here, the application is tested from the inside out. This type of testing represents the developer approach. Also SAST doesn’t require a deployed application and that means it analyzes the source code or binary without executing the application. Here the security is tested earlier in the SDLC (Software Development Life Cycle), which means the scan can be executed as soon as code is deemed feature-complete. Since the vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. The findings can often be fixed before the code enters the QA cycle. Since this is a SAST (scans static code), it can’t discover run-time vulnerabilities.

DAST (Dynamic Application Security Testing)

DAST is a Black Box security testing approach where the tester has no knowledge of the technologies or frameworks that the application is built on. Here, the application is tested from the outside in. This type of testing represents the hacker approach. Also DAST doesn’t require source code or binaries which means it analyzes by executing the application. Here the security is tested towards the end of the SDLC, where vulnerabilities can be discovered after the development cycle is complete. Since the vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle and also the critical vulnerabilities may be fixed as an emergency release. Since this is DAST, it is able to find run-time vulnerabilities.