What about IAST and SCA?

IAST (Interactive AST) instruments the running app for deeper insight than DAST. SCA (Software Composition Analysis) checks dependencies against vulnerability databases - essential for SBOM-driven vulnerability management.

Is fuzz testing the same as DAST?

Related but distinct. Fuzzing throws malformed inputs at parsers and protocol handlers; DAST exercises business logic with realistic-but-malicious requests. FDA's 2023 guidance recommends both for high-risk interfaces.

All terms

CybersecurityConnected & Cyber-Physical Devices

SAST and DAST

Automated security testing - SAST analyzes source code at rest, DAST exercises a running application.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

Static Application Security Testing (SAST) analyzes source code, bytecode, or binaries without executing them, looking for known vulnerable patterns (SQL injection, buffer overflows, hardcoded secrets, insecure crypto). Dynamic Application Security Testing (DAST) probes a running application from the outside, exercising authenticated and unauthenticated paths to find runtime issues (auth bypass, injection, misconfiguration). Together they cover complementary parts of the OWASP testing surface and are baseline tooling for any modern CI/CD pipeline.

What the regulation says

FDA's 2023 guidance expects security testing throughout development, with both static and dynamic analysis as standard components. NIST SP 800-218 (SSDF) and IEC 81001-5-1 both include SAST/DAST in their lifecycle activity sets. The submission should describe which tools were used, what they covered, and how findings were dispositioned.

What this means in practice

SAST belongs in the developer's PR check (Semgrep, CodeQL, SonarQube, Checkmarx). DAST belongs in nightly or release-gate CI (OWASP ZAP, Burp Suite, Invicti). Both produce noise; mature teams tune rule sets, baseline known issues, and route real findings into the CAPA and security-fix workflow rather than dumping the raw tool output into the submission.

Common pitfalls

•Submitting raw tool output without triage - reviewers cannot tell signal from noise.
•Running SAST/DAST only at submission rather than continuously through the build pipeline.
•Skipping SCA (Software Composition Analysis) - SAST finds your code's bugs, SCA finds your dependencies' bugs.

Frequently asked questions

Yes - they find different classes of issues. SAST sees the whole codebase including unreachable paths; DAST sees what an attacker actually sees but only on exercised paths.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

FDA·1NIST·1OWASP·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

Automated security testing - SAST analyzes source code at rest, DAST exercises a running application.

·SAST belongs in the developer's PR check (Semgrep, CodeQL, SonarQube, Checkmarx).
·DAST belongs in nightly or release-gate CI (OWASP ZAP, Burp Suite, Invicti).
·Both produce noise; mature teams tune rule sets, baseline known issues, and route real findings into the CAPA and security-fix workflow rather than dumping the raw tool output into the submission.

Remember this

Watch out: Submitting raw tool output without triage - reviewers cannot tell signal from noise.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.