# Application Security Analysis Tools: SAST, DAST, SCA, IAST, and RASP
Modern DevSecOps pipelines require comprehensive vulnerability analysis. SAST scans source code statically, DAST tests running applications dynamically, SCA checks dependencies, IAST combines static and dynamic analysis at runtime, and RASP provides protection during execution. These tools integrate into CI/CD for early threat detection.
SAST: Static Code Analysis
SAST tools parse source code without execution, detecting SQL injections, XSS, and insecure APIs. They point to exact code lines for fixes, speeding up development.
Advantages: early detection, integration with IDEs and CI/CD.
Disadvantages: false positives, ignores runtime errors and configurations.
Cloud options:
- SonarCloud: free for public repositories, up to 50k LoC in private. Supports many languages, detailed rules.
- Semgrep Cloud: for teams up to 10 people, unlimited in GitHub.
- CodeQL: GitHub tool, builds a database from code for queries.
Local OSS:
- SonarQube Community: self-hosted, Docker installation, 15+ languages.
- Semgrep OSS: CLI scanner with AST-based rules.
DAST: Dynamic Testing
DAST simulates attacks on running applications from the outside, without code access. It detects authentication, session, and configuration issues.
Advantages: real runtime vulnerabilities, independent of tech stack.
Disadvantages: late SDLC stage, requires a test environment, no line pointers.
Cloud:
- HostedScan: 3-10 scans/month, OWASP Top 10, Nmap, OpenVAS.
Local:
- OWASP ZAP: API for CI/CD, Docker support.
- Nuclei: YAML templates for CVE, high speed.
SCA: Dependency Analysis
SCA scans open-source libraries for CVEs, licenses, and outdated versions. Critical for software supply chains.
Advantages: quick audit of known vulnerabilities, PR automation.
Disadvantages: only known CVEs, noise from transitive deps.
Cloud:
- Snyk: remediation advice, unlimited OSS.
- GitHub Dependabot: auto-PR for updates.
Local:
- Trivy: containers, K8s, IaC.
- OSV-Scanner: Google OSV.dev database.
| Tool | Pros | Cons |
|----------|--------------------------|-------------------------------|
| SAST | Early fixes, exact lines | False positives, no runtime |
| DAST | Real attacks, configs | Late stage, needs test env |
| SCA | CVE lists, licenses | Only known |
| IAST/RASP| Accuracy, blocking | Performance overhead, deployment |
IAST and RASP: Runtime Analysis and Protection
IAST embeds agents to track data in real time, minimizing false positives. RASP adds exploit blocking.
Advantages: execution context, active protection.
Disadvantages: performance overhead, few OSS options, complex integration.
Few free full solutions—this is a commercial category. Recommended to combine with SAST/DAST.
Key Points
- SAST + DAST + SCA cover 90% of OWASP Top 10 risks.
- Integrate into CI/CD for shift-left security.
- Choose OSS for self-hosted data control.
- Account for false positives: tune rules.
- RASP suits high-load production.
— Editorial Team
No comments yet.