Static Application Security Testing

What Does Static Application Security Testing Mean?

Static application security testing (SAST) is a type of security testing that relies on inspecting the source code of an application. In general, SAST involves looking at the ways the code is designed to pinpoint possible security flaws.


Techopedia Explains Static Application Security Testing

SAST is often contrasted with another term that is, in some ways, opposite to it: dynamic application security testing (DAST). The difference between these two is that, with SAST, testers read the source code. They look for logical flaws, such as a loophole in data control, something that a hacker could use to gain access to the system. In contrast, in DAST, testers do not look at the source code but perform behavioral testing instead — they run the application and look for flaws that way.

IT experts also differentiate between the two using the terms "white box testing" and "black box testing." SAST is white box testing because the source code for the application is available and transparent. That is what testers look at. In contrast, DAST is black box testing because the source code is not part of the equation. Instead, black box testers rely solely on the behavior of the application.


Related Terms

Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.