What is SAST vs DAST?

SAST (Static Application Security Testing) analyzes source code, bytecode, or binaries without executing the program to find security vulnerabilities. It's done in the development phase (IDE plugins, CI/CD). Finds: hardcoded secrets, SQL injection patterns, buffer overflows, dangerous function use, insecure configs. Advantages: catches issues early (before deployment), covers 100% of code paths. Disadvantages: high false positive rate, can't find runtime/configuration issues. Tools: Checkmarx, Veracode, SonarQube, Semgrep, CodeQL. DAST (Dynamic Application Security Testing) tests the running application from the outside — like an attacker would, sending malicious inputs and observing responses. Finds: XSS, SQLi, SSRF, auth issues, misconfigurations that are only visible at runtime. Advantages: low false positives, finds runtime issues. Disadvantages: can't cover all code paths, runs later in lifecycle. Tools: OWASP ZAP, Burp Suite, Nikto, Nessus. Best practice: use both — SAST in CI for fast feedback, DAST against staging/pre-prod environments.