SAST & DAST Tooling

Static and Dynamic analysis techniques for vulnerability detection.

SAST (Static Application Security Testing)

Analyzing source code, byte code, or binaries for security vulnerabilities without executing the application.

  • White-box testing
  • Finds bugs early (Shift Left)
  • High false positives usually
  • Tools: SonarQube, Checkmarx, Fortify

DAST (Dynamic Application Security Testing)

Analyzing a running application by simulating attacks from the outside to find runtime vulnerabilities.

  • Black-box testing
  • Finds configuration/runtime issues
  • Requires a running environment
  • Tools: OWASP ZAP, Burp Suite