SAST (Static Application Security Testing)
// Definition
Analysing source code or compiled artifacts for security flaws without running the application. Integrates into CI to catch issues early. Strong on logic and pattern bugs (hardcoded secrets, unsafe APIs); blind to runtime behaviour.
// Related terms
DAST (Dynamic Application Security Testing)
Probing a running application from the outside — like an attacker would — to find vulnerabilities such as injection flaws and misconfigured headers. Complements SAST, which only sees code.
Vulnerability Scanning
Automated scanning of code, dependencies, or running systems for known security weaknesses (CVEs, misconfigurations). Cheap, continuous, and noisy — best paired with manual penetration testing for deeper coverage.
Shift-Left
Moving testing earlier in the development lifecycle — running tests at design and code-review time, not just before release. Goal: find defects when they're cheapest to fix.
Learn more · Non-Functional Testing Overview
Chapter 3 · Lesson 3: Security Testing Tools — OWASP ZAP, Burp Suite, SonarQube