An enterprise is adopting a DevOps model and wants to integrate security into the CI/CD pipeline. The security architect recommends adding automated security testing. Which phase of the pipeline should static application security testing (SAST) be introduced to minimize rework?
SAST analyzes source code, so running it in the build phase catches issues early.
Why this answer
SAST is most effective when run early, ideally during the build phase, so developers can fix vulnerabilities before deployment. In production, it's too late. During deployment might cause delays.
SAST is not typically run on running applications.