Interview › Security & DevSecOps
What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
Answer
SAST looks inside the code without executing it, while DAST attacks or probes the running application from the outside. SAST catches code-level flaws early; DAST catches runtime behavior and deployment/configuration issues, but neither is complete alone.
Technical explanation
SAST can find insecure API usage and tainted data flows but may produce false positives and may miss runtime-only misconfiguration.
DAST can validate externally observable issues but usually has limited visibility into exact source lines and may miss code paths not reached during scanning.
A strong program uses both, plus SCA, secrets scanning, threat modeling, and runtime controls.
Hands-on example
Example: SAST flags a concatenated SQL query in a DAO class. DAST confirms a SQL injection on /search when the staging app is running. The fix is to use parameterized queries, add regression tests, and rerun both scanners to verify the issue is gone.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]
- What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]