Static application security testing (SAST) involves analyzing an application’s source code very early in the software development life cycle (SDLC). The SAST analysis specifically looks for coding and design vulnerabilities that make an organization’s applications susceptible to attack. Also known as white box testing, static application testing solutions analyze an application from the “inside out” when it is in a non-running state, trying to gauge its security strength.

SAST solutions prevent security issues before they are passed into the next software development cycle by analyzing the entire codebase.

There are three basic types of SAST testing: source code analysis, byte code analysis, and raw binary code analysis. SAST security solutions can be integrated directly into the development environment, allowing developers to constantly monitor their code and quickly mitigate vulnerabilities as they are discovered. Because SAST security tools give developers real-time feedback as they code, they can fix issues before they pass into the next phase of the SDLC, detecting and fixing problems much more quickly than later in the SDLC.

A SAST solution is preferred over DAST in that SAST is able to find security issues earlier in the SDLC than DAST which makes fixes less expensive and SAST only requires the source code as opposed to DAST needing to run the application. 

On the other hand, static application security testing only scans static code compared to dynamic application security testing which can find run time issues.