Security & DevSecOps Practical By Samson Tanimawo, PhD Published Dec 27, 2025 4 min read

Static vs Dynamic Analysis

SAST vs DAST. Different findings.

SAST: static analysis

Source code analysis without execution. Catches code-level vulnerabilities, security anti-patterns, common bug classes.

Run in CI on every PR. Fast; catches issues before merge.

Tools: Semgrep, SonarQube, Snyk Code, GitHub CodeQL. Each has strengths in different languages.

Runtime analysis on deployed application. Catches runtime-only vulnerabilities, misconfigurations, exposed endpoints.

Run in pre-prod on each release. Slower; deployed environment required.

Tools: OWASP ZAP, Burp Suite, vendor solutions. Crawls the application; identifies issues from outside.

SAST catches code-level issues. DAST catches deployment-level issues.

Each misses what the other catches. Hardcoded credentials are SAST; misconfigured CORS is DAST.

Mature security programs run both.

SAST integrated in CI: blocks PRs on critical findings.

DAST scheduled per-release in pre-prod: blocks releases on critical findings.

Quarterly review of both: false-positive rates, missed cases, tooling gaps.