Interview › Security & DevSecOps
What is the difference between SAST, DAST, IAST, and SCA? [Basic]
Answer
SAST analyzes source or bytecode without running the application, DAST tests a running application from the outside, IAST observes the application while tests execute, and SCA identifies vulnerable third-party dependencies and licenses.
Technical explanation
SAST is strong for coding issues such as injection patterns, insecure crypto calls, and unsafe deserialization paths.
DAST is strong for runtime and configuration issues such as exposed endpoints, missing headers, authentication bypass patterns, and reflected injection behavior.
IAST combines runtime context with code-level insight, while SCA focuses on open-source packages, transitive dependencies, CVEs, licenses, and upgrade paths.
Hands-on example
Hands-on: run SonarQube during PR for SAST/code quality, run OWASP ZAP against a deployed test URL for DAST, use an IAST agent in integration tests if available, and run Snyk/Dependabot/Trivy/Grype for SCA against package manifests and container images.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]
- What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]