Secure Development Glossary
SAST / DAST / SCA (Application Security Testing)
Three complementary methods for software security testing: SAST performs static analysis of source code, DAST dynamically tests running applications, and SCA checks third-party dependencies for known CVEs. Together, they form the foundation of modern CI/CD security pipelines.
SAST, DAST, and SCA are the three pillars of Application Security Testing (AST). Each method identifies different vulnerabilities—only when combined in a CI/CD pipeline can comprehensive application security be achieved.
SAST - Static Application Security Testing
SAST analyzes source code, bytecode, or binary code without executing the application.
How SAST works:
Source code → Parser → Abstract Syntax Tree (AST)
→ Dataflow analysis (how does data flow?)
→ Taint analysis (does user input enter dangerous functions without validation?)
→ Pattern matching (known insecure code patterns)What SAST finds
# SAST finds this code:
def login(username, password):
query = "SELECT * FROM users WHERE username='" + username + "'"
# SAST Alert: "User input directly in SQL query - potential SQL Injection"
# SAST also finds:
api_key = "sk-proj-abc123def456" # Hardcoded Secret
md5_hash = hashlib.md5(password) # Weak Crypto (MD5)SAST Tools
| Tool | License | Languages | Strength |
|---|---|---|---|
| Semgrep | LGPL + Rules require payment | 30+ | Fast, customizable |
| SonarQube | Open Source / Enterprise | 30+ | Code Quality + Security |
| CodeQL | Free for OSS | 10+ | GitHub-native, powerful |
| Checkmarx | Commercial | 30+ | Enterprise market leader |
| Veracode | Commercial | 20+ | Cloud-based |
| Snyk Code | Freemium | 15+ | Developer-friendly |
SAST in CI/CD
# Semgrep in GitHub Actions
name: SAST
on: [push, pull_request]
jobs:
semgrep:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: semgrep/semgrep-action@v1
with:
config: >-
p/python
p/owasp-top-ten
p/secretsDAST - Dynamic Application Security Testing
DAST tests the running application from the outside—similar to an attacker.
How DAST works:
Running application → Send HTTP requests
→ Analyze responses
→ Test attack payloads (XSS, SQLi, SSRF, etc.)
→ Identify vulnerabilities
Advantage: Finds runtime vulnerabilities that SAST overlooks
→ Misconfigurations (security headers, TLS)
→ Business logic errors (IDOR, auth bypasses)
→ Deserialization errorsDAST Tools
| Tool | Type | Features |
|---|---|---|
| OWASP ZAP | Open Source | CI/CD integration, baseline scan |
| Burp Suite Pro | Commercial | Manual + automated scan, standard for penetration testing |
| Nuclei | Open Source | Template-based, very fast |
| Nikto | Open Source | Fast, configuration check |
| Acunetix | Commercial | JavaScript rendering, REST API |
DAST in CI/CD
# OWASP ZAP in GitHub Actions (Baseline Scan)
dast:
runs-on: ubuntu-latest
steps:
- name: ZAP Scan
uses: zaproxy/action-baseline@v0.10.0
with:
target: 'https://staging.meineapp.de'
cmd_options: '-T 120'SCA - Software Composition Analysis
SCA checks third-party libraries and dependencies for known CVEs.
Problem:
Modern applications typically have 500–1,000 dependencies
(direct: 30–50, transitive: 450–950)
SCA scans:
requirements.txt, package.json, pom.xml, build.gradle
→ Each dependency against CVE databases
→ NVD (NIST), Snyk Vuln DB, GitHub Advisory DB
Known SCA findings:
log4j → CVE-2021-44228 (Log4Shell, CVSS 10.0)
spring-framework → CVE-2022-22965 (SpringShell)
requests < 2.31 → SSRF riskSCA Tools
| Tool | License | Integration |
|---|---|---|
| Snyk | Freemium | GitHub, GitLab, npm, pip, maven |
| OWASP Dependency Check | Open Source | Maven, Gradle, CLI |
| pip-audit | Open Source | Python-specific |
| npm audit | Built-in | Node.js-specific |
| Dependabot | GitHub-native | Auto-PRs for updates |
| Socket | Freemium | Supply Chain Security |
SCA commands (local):
pip-audit # Python
npm audit --audit-level=high # Node.jsSAST vs. DAST vs. SCA Comparison
| SAST | DAST | SCA | |
|---|---|---|---|
| When | Compile-time | Runtime (Staging) | Build-time |
| What | Own code | Running app | Dependencies |
| False Positive Rate | High | Low | Very low |
| Detects logic bugs | Rarely | Yes | No |
| Shift Left | Strong | Medium | Medium |
Recommendation: Minimal Security Pipeline
# Pipeline: SAST + SCA + DAST
on: [push, pull_request]
jobs:
sast:
steps:
- name: Semgrep (OWASP Top 10 + Secrets)
sca:
steps:
- name: pip-audit / npm audit
- name: Snyk (for more coverage)
dast:
steps:
- name: ZAP Baseline (on staging)
# Policy:
SAST Critical + High: Build fails
SCA Critical: Build fails, High: Warning
DAST High: Alert for security teamThis minimal pipeline covers the most common vulnerabilities—without a large budget or team.
