Quiz Entry - updated: 2026.07.14
What is DAST (Dynamic Application Security Testing) and how does it complement SAST?
DAST tests the running app like an attacker (blackbox) — it finds real runtime/config flaws SAST misses, but only late and only on reachable endpoints.
| Aspect | Details |
|---|---|
| When | After deployment, in staging |
| Approach | Blackbox (no source code) |
| Finds | Auth bypasses, misconfigs, session flaws, runtime errors |
Strengths:
- Tests real deployed state
- No false positives on exploitability (if it exploits, it's real)
- Finds what SAST misses (config issues, environment bugs)
Limitations:
- Finds issues late (needs running app)
- Limited coverage (only reachable endpoints)
- Can't show exact code location
SAST + DAST together:
| SAST | DAST |
|---|---|
| Early (in dev) | Late (after deploy) |
| Code-level bugs | Config/runtime bugs |
| Many false positives | Few false positives |
Tools: OWASP ZAP, Burp Suite, Acunetix, Nessus
Go deeper:
OWASP — Vulnerability Scanning Tools (DAST) — OWASP's catalogue of DAST scanners (ZAP, Burp, Acunetix, Nessus).