Application Security
SAST (Static Application Security Testing)
Also known as: Static analysis, White-box testing
Definition
Automated analysis of source code, bytecode or binaries — without executing it — to find security weaknesses such as injection, unsafe APIs or insecure crypto.
Examples
- Running Semgrep with the OWASP Top 10 ruleset on every pull request.
- Using GitHub CodeQL to catch path traversal in a Java service before merge.
Related terms
DAST (Dynamic Application Security Testing)
Black-box security testing that probes a running application over the network to find vulnerabilities visible only at runtime, such as injection, auth flaws and misconfigurations.
IAST (Interactive Application Security Testing)
Application security testing that instruments a running application from the inside to observe code execution while it is being exercised by traffic or tests.
SCA (Software Composition Analysis)
Automated analysis of an application's open-source and third-party components to identify known vulnerabilities, license issues and outdated or risky dependencies.
Secure Coding
Secure Coding — definition coming soon.
DevSecOps
A culture and set of practices that integrates security responsibilities into DevOps workflows so engineers ship secure software continuously and at speed.
OWASP Top 10
OWASP Top 10 — definition coming soon.