DAST (Dynamic Application Security Testing)
// Definition
Probing a running application from the outside — like an attacker would — to find vulnerabilities such as injection flaws and misconfigured headers. Complements SAST, which only sees code.
// Related terms
SAST (Static Application Security Testing)
Analysing source code or compiled artifacts for security flaws without running the application. Integrates into CI to catch issues early. Strong on logic and pattern bugs (hardcoded secrets, unsafe APIs); blind to runtime behaviour.
Vulnerability Scanning
Automated scanning of code, dependencies, or running systems for known security weaknesses (CVEs, misconfigurations). Cheap, continuous, and noisy — best paired with manual penetration testing for deeper coverage.
Penetration Testing
Authorised, simulated attacks against a system to find security weaknesses. Usually performed by security specialists late in the lifecycle, complementing automated scanning rather than replacing it.
Learn more · Non-Functional Testing Overview
Chapter 3 · Lesson 3: Security Testing Tools — OWASP ZAP, Burp Suite, SonarQube