SAST, DAST and IAST - What's the Difference?


Application Security Testing can be broadly classified into Static Application Security Testing and Dynamic Application Security Testing.

The two type of testing do not compete but rather complement each other. A robust application security testing plan can be developed for a project if the two types of testing are used rightly during different phases of development.  By planning the static and dynamic testing during the relevant phases, the whole SDLC is covered for security testing.

The following is a summary of SAST Vs DAST and this information can help you in finalizing your application security testing strategy.




Analyzes source code to find vulnerabilities and flaws

Tests application from outside in its running state



White Box vs Black Box

Testing is from a developer’s perspective

Testing is from a hacker’s perspective. Tries to attack the application like a hacker would

The tester has complete knowledge on the underlying frameworks and design

The tester does not have any information on the underlying architecture of the application



SDLC Phase

Can be done in the initial phases of the SDLC

such as coding

Can be done only in the final phase (UAT, Go-live) since the application needs to be up and running



Environment & Run-time Issues

Run time flaws cannot be detected since SAST scans the static code

Run time issues can be discovered. This is critical since runtime and environment issues can be showstoppers



CI/CD compatibility

Can be integrated with the CI/CD environments

DAST can be integrated only after the application build is ready and running



Language Support

SAST cannot be used if the SAST tool does not support the language used for development

DAST does not have any dependency on the language in which the software is coded




Developers have higher involvement in the security aspect which in turn helps build security into the application design

Developers do not get clear visibility into the security aspects of the application and any fixes may become first-aids rather than resolving design issues

Cost- Benefit Analysis of SAST

While DAST is employed in many cases of application security testing, there is always apprehension about using SAST considering the cost involved in procuring and integrating a SAST tool.

A SAST tool does involve initial set up costs that include licensing, developer training and integration. However, it certainly involves significant saving in finding the flaws earlier during the development cycle. A research done by IBM System-Science-Institute reveals that the cost of fixing a flaw in the later stage is exponentially higher.

Filed in: Risk & Security
Srinivas Kedarisetty
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item