SAST (Static Application Security Testing)

Static Application Security Testing (SAST) analyzes application source code, bytecode, or binary code for security vulnerabilities without running the program. SAST tools scan code for patterns known to cause security issues — such as unsanitized user input flowing into SQL queries, hardcoded credentials, or insecure cryptographic implementations.

SAST is "white-box" testing that can identify vulnerabilities early in the development lifecycle, ideally as code is written or during code review. Many SAST tools integrate into IDEs and CI/CD pipelines, providing developers with immediate feedback on security issues.

Limitations of SAST include high false-positive rates (flagging code patterns that aren't actually exploitable in context), inability to detect runtime configuration issues, and difficulty analyzing complex data flows across microservices. SAST also cannot detect issues in third-party libraries without separate SCA (Software Composition Analysis) tooling.

How APVISO tests for this: APVISO complements SAST by testing the running application for exploitability. While SAST may flag a potential SQL injection in code, APVISO confirms whether it's actually exploitable by crafting and sending payloads against the deployed application.