DAST vs SAST
Related service Cybersecurity
DEFINITION
SAST (Static Application Security Testing) reads source code without running it: data-flow analysis hunts for SQL injection, XSS, hardcoded secrets, weak crypto, deserialization patterns. Fast and early in CI. Weakness: it cannot see past authentication and emits a lot of false positives (Semgrep, SonarQube). DAST (Dynamic Application Security Testing) attacks the running app from outside, as a pentester would: logs in, sends payloads, watches responses. SQL error leaked? Reflected XSS? Open redirect? Those do not always show up in SAST (OWASP ZAP, Burp). Common false-positive patterns: SAST flags SQL injection on a parameterized query because the query builder looks like string concat; DAST labels a 401 as a 500 because the status header is wrong; SAST mistakes a test fixture for a hardcoded secret. A serious stack runs both, plus IAST plus SCA (dependency scan), and gates CI only on high-confidence findings.
- Threat model→
A structured exercise that walks the system's actors, attack surface, risks, and controls. Day one of every DField project · before any code.
- Penetration test (pentest)→
Manual + tooled attack simulation that reveals what an attacker could achieve. We deliver findings as PRs in your repo, not an 80-page PDF.
- DevSecOps→
Security as a continuously-running CI step (SAST, DAST, SCA, IaC scan), not an annual project. Runs against every push; every sprint closes at least one security bug.
- MFA (Multi-factor auth)→
Two or more factors (TOTP, WebAuthn, biometric) beyond a password. Table-stakes in SaaS today · enterprise procurement disqualifies you without it.
- SOC 2→
A US audit framework for confidentiality, integrity, availability, and privacy controls. For SaaS, the Type II audit (6–12 months of observation) is the standard enterprise baseline.
- ISO 27001→
International standard for Information Security Management Systems (ISMS). Often preferred in Europe instead of or alongside SOC 2. 3-year certification cycle.
- 0126 Apr 2026OWASP LLM Top 10 v2 · what changed and what to ship→
- 0226 Apr 2026The CSP we ship · with notes on why each directive is there→
- 0322 Apr 2026Signed-firmware OTA pipeline · the 2026 default we ship→
- 0422 Apr 2026Agentic AI · the safe tool-use pattern we ship by default→
- 0522 Apr 2026Solana smart contract gotchas · what bites every Anchor dev in 2026→
- 0622 Apr 2026Multi-tenant SaaS on Postgres · the RLS-first playbook→
- 0722 Apr 2026EIP-712 meta-transactions · gasless UX without compromising security→
- 0822 Apr 2026Foundry invariant testing · the patterns we write on every audit→