# Choosing Between SAST and DAST as a Beginner  As a developer, your primary goal is to deliver software that meets business requirements. However, given the [current cyber security landscape](https://www.crn.com/slide-shows/security/the-10-biggest-ransomware-attacks-of-2019/1?itc=refresh), merely ensuring that your application works as intended is not enough. You also need to ensure that your application does not accidentally leak secrets or expose user PII. It is your responsibility as a developer to write code that prevents hackers from compromising your application. Writing Secure Code ------------------- If you are too fixated from the very start about avoiding security vulnerabilities, you will never be able to write efficient code. So, it is important to continue doing what you have been doing, that is, writing code that fulfils a business need. But, along the way, keep security at the back of your mind. To write secure code as a beginner, you can rely on some useful Application Security Testing tools to make your job easier. These are automated tools which help you identify vulnerabilities in your application. These testing tools use one of the following strategies: 1. Static Application Security Testing 2. Dynamic Application Security Testing Static Application Security Testing (SAST) ========================================== [SAST](https://www.perforce.com/blog/kw/what-is-sast) tools review your source code to identify patterns of vulnerable code. Think of this tool as a security expert with a ton of development experience, who is reviewing your code to find vulnerabilities that could lead the application to exhibit unintended behaviour. Examples of vulnerabilities that may be reported through SAST are: - Using dangerous functions insecurely - Secrets embedded in source code - Lack of Input validation or Output encoding - Out-of-Bounds Read/Write - Insecure dependencies Advantages of SAST ------------------ **Find vulnerabilities early on in the development phase** SAST analysis can be executed directly on the source code. So, the tool does not require a complete working application to perform the assessment. This makes it easier and cheaper to fix any bugs reported by the tool. **Pinpoint the exact line of vulnerable code** Getting to the root cause of the vulnerability is super easy, as the tool points directly to what needs to be changed. As we will see further, this may not be the case in DAST. Limitations of SAST ------------------- **Cannot identify vulnerabilities related to runtime environment** You may have a vulnerability-free application, but vulnerabilities may arise from the way the application is deployed, managed or administered. Such vulnerabilities will not be identified by SAST tools. **Logical vulnerabilities cannot be identified** Vulnerabilities that arise because of flawed logic cannot be identified by SAST. Such types of vulnerabilities are typically prevalent in areas such as authentication, authorization, data security, etc. **Not all reported issues are exploitable** SAST tools will try to report all issues which match the pre-defined patterns configured in them. All issues may not necessarily be critical, and you have to make a decision on whether to fix the reported issue or not, by manually reviewing them. Dynamic Application Security Testing (DAST) =========================================== [DAST](https://resources.whitesourcesoftware.com/blog-whitesource/dast-dynamic-application-security-testing) tools emulate user behavior and identify application behaviors that could be potentially harmful. You can configure the testing tool with different user accounts and instruct the application about how authentication takes place within the application. This ensures that the tool can also scan sections of the application that are behind a login page. Advantages of DAST ------------------ **Testing close to Production** The test environment where the application is deployed is typically designed as identical to the production environment as possible. DAST tools help identify runtime or operational deployment vulnerabilities, something which cannot be covered by SAST. **Identify logic flaws** DAST tools may help developers or security testers identify flaws related to authentication, authorization, or other vulnerabilities that would allow an application user to have more access than intended. **Find exploitable vulnerabilities** DAST helps identify vulnerabilities that can be exploited by attackers to compromise other application users or the application itself. Limitations of DAST ------------------- **Fixes may be complex and time-consuming** Since DAST identifies vulnerabilities only after the application is completely built, it may be complex to fix these vulnerabilities. **Root Cause Analysis may take some time** Since DAST tools do not identify the code that leads to the vulnerability, developers have to manually review their source code to identify the root case and fix the vulnerability. What should you choose: SAST or DAST? ===================================== Choosing between SAST and DAST depends on which phase of the development cycle you are in and the security maturity of your organization. If you are early in the development cycle, and do not have a working application yet, SAST is your best bet. If you are application is good enough to be tested by QA, it is ready for DAST. The main reason being that DAST emulates a hacker; a hacker would use your application like an actual user but would try to abuse functionalities to make the application behave in an unintended way. DAST would help you seal any possible vulnerabilities just before the launch of your application.