LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is SAST (Static Application Security Testing)?

SAST analyzes source code WITHOUT running it (whitebox) — it catches bugs early with exact file/line, but is prone to false positives and misses runtime/config issues.

SAST (whitebox, reads source, early, exact file+line, false positives) vs DAST (blackbox, runs the app, late, real exploits).

* SAST (whitebox, early, false positives) versus DAST (blackbox, late, real exploits) — they find different bugs and complement. *

Aspect Details
When During development, in CI/CD
Approach Whitebox (sees all code)
Finds SQL injection, buffer overflows, hardcoded secrets, unsafe functions

Strengths:

  • Finds bugs early (shift-left)
  • Shows exact file and line number
  • Scalable to large codebases

Limitations:

  • False positives — Flags non-issues
  • Can't find runtime/config problems
  • Misses business logic flaws
  • Blind to cross-system data flows

Tools: SonarQube, Semgrep, Checkmarx, Fortify, CodeQL

Mnemonic: "SAST = Source Analysis, Stops Threats early"

Go deeper:

From Quiz: SPRG / Secure Programming Introduction | Updated: Jul 14, 2026