SAST & DAST Tooling
Static and Dynamic analysis techniques for vulnerability detection.
SAST (Static Application Security Testing)
Analyzing source code, byte code, or binaries for security vulnerabilities without executing the application.
- White-box testing
- Finds bugs early (Shift Left)
- High false positives usually
- Tools: SonarQube, Checkmarx, Fortify
DAST (Dynamic Application Security Testing)
Analyzing a running application by simulating attacks from the outside to find runtime vulnerabilities.
- Black-box testing
- Finds configuration/runtime issues
- Requires a running environment
- Tools: OWASP ZAP, Burp Suite