Quick Links & Suggestions
Press Enter to search site, Esc to exit
↑↓ Navigate

What is SAST vs DAST and where do they fit in a DevSecOps pipeline?

Medium Topic: System Design May 24, 2026

SAST (Static Application Security Testing): Analyzes source code without executing it. Runs early in CI (on every commit/PR). Tools: Semgrep, SonarQube, Bandit (Python), gosec (Go). Fast, no running application needed.

DAST (Dynamic Application Security Testing): Tests the running application by sending malicious inputs and analyzing responses. Runs against a deployed staging environment. Tools: OWASP ZAP, Burp Suite. Finds runtime vulnerabilities that SAST misses (SQL injection, auth bypass).

DevSecOps pipeline: SAST on PR → build image → Trivy scan → deploy to staging → DAST → promote to prod.

← Previous What is the principle of least privilege and... Next → How do you implement network segmentation for a...

Practice Similar Questions

What is the difference between authentication and authorization?
Easy
How do you implement security scanning in a GitHub Actions...
Hard
What is Zero Trust Architecture and how does it apply...
Medium
Back to System Design Topics