Application Security

SAST (Static Application Security Testing)

A testing methodology that analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program, often called 'white-box' testing. SAST tools scan codebases for patterns that match known vulnerability types such as SQL injection, XSS, buffer overflows, and hardcoded credentials. They integrate into CI/CD pipelines to catch issues early in the development lifecycle (shift-left security). Popular SAST tools include SonarQube, Checkmarx, Semgrep, and Fortify. SAST complements DAST (runtime testing) and is a fundamental practice in DevSecOps and secure SDLC, tested in CSSLP and DevSecOps certifications.

Why It Matters

In practice, SAST is critical because it catches security vulnerabilities during development when they are cheapest and easiest to fix, before code reaches production where remediation costs increase exponentially. Organizations that fail to integrate SAST into their development pipelines release vulnerable code that is later discovered by attackers or expensive penetration tests. A major challenge with SAST tools is managing false positives, which can overwhelm developers and lead to alert fatigue where real vulnerabilities are ignored among noise. Tuning SAST rules to match the organization's technology stack and risk tolerance is essential for adoption by development teams. On certification exams such as CSSLP, DevSecOps Foundation, and Security+, expect questions about where SAST fits in the secure development lifecycle, comparing SAST with DAST and IAST approaches, understanding the trade-offs between false positive rates and detection coverage, and integrating SAST into CI/CD pipelines as automated quality gates.

Practice this topic

Test your knowledge of SAST (Static Application Security Testing) concepts with exam-style practice questions.

CSSLP GWAPT DevSecOps

Related Application Security terms

OWASP

The Open Web Application Security Project — a nonprofit foundation focused on improving software security through community-led open-source projects, tools, documentation, and standards. OWASP is best known for the OWASP Top 10 — a regularly updated list of the most critical web application security risks (including injection, broken authentication, XSS, and security misconfiguration). Other key projects include the OWASP Testing Guide, ASVS (Application Security Verification Standard), ZAP (Zed Attack Proxy), and the Mobile Security Testing Guide. OWASP resources are referenced across virtually every security certification and are the de facto standard for web application security assessments.

DAST (Dynamic Application Security Testing)

A testing methodology that analyzes running applications for vulnerabilities by simulating external attacks without access to source code, often called 'black-box' testing. DAST tools interact with the application through its interfaces (HTTP requests, APIs) to find issues like injection flaws, authentication problems, configuration errors, and sensitive data exposure. Unlike SAST, DAST finds runtime-specific issues but cannot pinpoint the exact line of vulnerable code. Popular DAST tools include OWASP ZAP, Burp Suite, Nikto, and Acunetix. DAST is used alongside SAST in a comprehensive application security program and is tested in CEH, OSCP, and DevSecOps certifications.

DevSecOps

An approach that integrates security practices within the DevOps process throughout the entire software development lifecycle, making security a shared responsibility rather than an afterthought. DevSecOps automates security testing at every stage: SAST in code commits, dependency scanning in builds, DAST in staging, infrastructure-as-code scanning, and container image scanning before deployment. Key principles include shift-left security, security as code, automated compliance checks, and continuous monitoring in production. Tools include GitHub Advanced Security, Snyk, HashiCorp Vault, and Falco. DevSecOps is increasingly tested in CISSP, CSSLP, and dedicated DevSecOps foundation certifications.

CSRF (Cross-Site Request Forgery)

An attack that forces authenticated users to submit unwanted requests to a web application where they are currently logged in, exploiting the trust that the site has in the user's browser. For example, an attacker could craft a link that transfers funds or changes account settings when clicked by a logged-in user. CSRF works because browsers automatically include session cookies with every request to a domain. Defenses include anti-CSRF tokens (synchronizer tokens), SameSite cookie attributes, checking the Origin/Referer headers, and requiring re-authentication for sensitive actions. CSRF is an OWASP Top 10 vulnerability and is tested in CEH, OSCP, and web application security certifications.