The Rise Of DAST 2.0 In 2025
HelpNet Security, Tuesday, March 18th, 2025
Static Application Security Testing (SAST) found favor among security teams as an easy way to deploy security testing without really engaging developers. With the ability to analyze source code early in the software delivery lifecycle, SAST solutions offered a more proactive approach to finding security issues prior to production. But this came with a cost.
Many of the findings of SAST tools are potential vulnerabilities - meaning that a lot of manual effort and time is required to evaluate and prioritize the risks. Developers are left to parse through thousands of alerts with minimal context into which issues are most critical, let alone how to map them to CWE categories to pinpoint the real problem and necessary fix.
A pain in the SAST
SAST's initial promise of proactive security testing for security teams, quickly established itself as a fundamental problem for developers due to its extreme noise. By flooding developers with thousands of findings, mostly 'false positives', and flagging code patterns as 'potentially insecure' without assessing actual exploitability, it has made it nearly impossible for developers to prioritize which issues to fix. SAST also fails to provide meaningful context; it might detect a problematic code pattern, but it cannot determine if that code is actually in use, exposed to the internet or actively contributing to an exploitable vulnerability. It fails to answer the questions that matter, e.g. Is this code running in production? Is it exposed? Can it actually be exploited?