Static application security testing (SAST) and Dynamic application security testing (DAST) are both methods of testing for security vulnerabilities, but they’re used very differently. Here are some key differences between SAST and DAST:
SAST | DAST |
White box security testing The tester has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach. | Black box security testing The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach. |
Requires source code SAST doesn’t require a deployed application. It analyzes the sources code or binary without executing the application. | Requires a running application DAST doesn’t require source code or binaries. It analyzes by executing the application. |
Finds vulnerabilities earlier in the SDLC The scan can be executed as soon as code is deemed feature-complete. | Finds vulnerabilities toward the end of the SDLC Vulnerabilities can be discovered after the development cycle is complete. |
Less expensive to fix vulnerabilities Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle. | More expensive to fix vulnerabilities Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release. |
Can’t discover run-time and environment-related issues Since the tool scans static code, it can’t discover run-time vulnerabilities. | Can discover run-time and environment-related issues Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities. |
Typically supports all kinds of software Examples include web applications, web services, and thick clients. | Typically scans only apps like web applications and web services DAST is not useful for other types of software. |