SAST / DAST
SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) are the two main families of application-security analysis tools.
SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) are the two main families of application-security analysis tools.
SAST analyses source code or binaries without executing them, to detect structural vulnerabilities (SQL injection, XSS, hardcoded secrets, bad cryptographic practice). It fits naturally into CI. Tools: SonarQube, Snyk Code, Semgrep, Checkmarx, GitHub CodeQL.
DAST tests the running application from the outside, the way an attacker would: it sends malicious requests and observes responses. It catches runtime vulnerabilities invisible in the code (misconfigurations, authentication issues). Tools: OWASP ZAP, Burp Suite, Tenable, Acunetix.
The two are complementary and combine with software composition analysis (SCA), container scanning and IaC scanning.