What is Static Application Security Testing?

A white-box security testing approach that analyzes application source code, bytecode, or compiled binaries for vulnerability patterns without executing the program. SAST tools integrate into IDEs and CI/CD pipelines to give developers fast feedback on issues such as hardcoded credentials, SQL string concatenation, and insecure API usage. SAST produces higher false-positive rates than DAST and cannot detect runtime vulnerabilities, making it most effective when combined with dynamic testing and manual review.

Related terms