Guide on Static and Dynamic Application Security Testing (SAST/DAST)

What is SAST/DAST?
Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are essential methodologies for securing software applications.
SAST is a white box testing method used early in the development cycle to pinpoint issues, while DAST is a black box testing method used after deployment to detect vulnerabilities exposed in the running application.

Why it is important?
The security of software applications is crucial in the modern world. SAST/DAST is needed to identify and remediate software vulnerabilities, reducing the risk of unauthorized access and data breaches.

How it works?
SAST works by scanning source code, byte code, or binary code for coding patterns indicative of security risks. This is implementable throughout the development process.
DAST works by attacking the application in its running state, from the outside, to identify vulnerabilities otherwise hidden when the application is not running.

Exam Tips: Answering Questions on SAST/DAST
1. Understand the difference between SAST and DAST: Remember, SAST is pre-deployment, white box, source code checking. DAST is post-deployment, black box, run-time checking.
2. Know examples of issues each method identifies: SAST identifies problems with syntax, encryptions, etc., while DAST can find issues like input validities or session management.
3. Be aware of the limitations: Neither SAST nor DAST can identify all vulnerabilities. They are part of a comprehensive security strategy.
4. Practice questions: The more familiar you are with the question structure, the better prepared you will be. Use online resources to practice.