Knowledge Center

Frequently Asked Questions

Value for Combining SAST and DAST

When thinking of application security, what is the value for combining SAST and DAST? 

SAST and DAST are complementary application security testing tools that should be used in combination. Organizations should pay attention to finding and fixing serious flaws in development. Some vulnerabilities may not show up at all in production. Developers can fix things early and have them never show up in DAST scans.


Why is it so important to combine SAST and DAST? 

The number of vulnerabilities per asset is very high in SAST compared to DAST. Vulnerabilities found by DAST aren’t always found by SAST. DAST has more uniform distribution of errors compared to SAST. Not everything found in development may be exploitable when the production application is running.


What is the best approach to combine SAST and DAST? 

Compare SAST and DAST results, and take action on the most critical issues. For example, focusing on SQL Injection and Cross-Site Scripting as exploitable errors in both SAST & DAST is always advisable. Application Security solutions – the combination of people, process and technology – must address the entire product lifecycle. They must provide visibility and control across the entire SDLC. Some mistakes made in development won’t be found by testing only in production. Employ these two unique testing tools in tandem to discover and remediate the most serious vulnerabilities.