LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is DAST (Dynamic Application Security Testing) and how does it complement SAST?

DAST tests the running app like an attacker (blackbox) — it finds real runtime/config flaws SAST misses, but only late and only on reachable endpoints.

Aspect Details
When After deployment, in staging
Approach Blackbox (no source code)
Finds Auth bypasses, misconfigs, session flaws, runtime errors

Strengths:

  • Tests real deployed state
  • No false positives on exploitability (if it exploits, it's real)
  • Finds what SAST misses (config issues, environment bugs)

Limitations:

  • Finds issues late (needs running app)
  • Limited coverage (only reachable endpoints)
  • Can't show exact code location

SAST + DAST together:

SAST DAST
Early (in dev) Late (after deploy)
Code-level bugs Config/runtime bugs
Many false positives Few false positives

Tools: OWASP ZAP, Burp Suite, Acunetix, Nessus

Go deeper:

From Quiz: SPRG / Secure Programming Introduction | Updated: Jul 14, 2026