The OWASP Top 10 — injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialisation, known vulnerabilities, insufficient logging — has been remarkably stable over fifteen years. These are not new problems. They are problems that organisations consistently fail to find and fix before deployment. Application security testing is the discipline that changes this outcome.
Static Application Security Testing (SAST) analyses source code without executing it, identifying security vulnerabilities in code patterns. Tools like Checkmarx, SonarQube, and Semgrep scan every line of code looking for SQL injection, hardcoded credentials, insecure cryptography, and hundreds of other security anti-patterns. SAST integrates directly into the IDE and CI pipeline, catching vulnerabilities at the moment they are introduced — the cheapest point to fix them.
Dynamic Application Security Testing (DAST) tests the running application by sending malicious inputs and observing responses. OWASP ZAP, Burp Suite, and commercial scanners probe for vulnerabilities that only manifest at runtime: authentication weaknesses, session management flaws, server-side request forgery. DAST complements SAST by finding vulnerabilities in the application's runtime behaviour rather than its code.
Interactive Application Security Testing (IAST) instruments the running application with agents that observe its behaviour from the inside during test execution. This combines the accuracy of DAST with the code-level insight of SAST, producing highly precise vulnerability reports with line-level code context. IAST is particularly effective in environments with comprehensive automated test suites.
The "shift-left" principle — moving security testing earlier in the development lifecycle — is the practical implication: SAST in the developer's IDE and CI pipeline catches vulnerabilities before code review. DAST in staging catches anything that escaped SAST. Penetration testing before major releases provides human-led validation. Each layer catches what the previous missed.
