A security team is selecting tools for code review. Which THREE of the following are characteristics of Static Application Security Testing (SAST) tools?
Correct: SAST scans source code statically.
Why this answer
SAST tools analyze source code, bytecode, or binary code without executing the application. They require access to the source code to perform static analysis, scanning for security flaws such as injection vulnerabilities, buffer overflows, and insecure cryptographic implementations. This allows developers to identify and fix vulnerabilities early in the development lifecycle, before the code is compiled or deployed.
Exam trap
The trap here is confusing SAST with DAST: candidates often select 'analyze while running' (Option D) because they think 'static' means 'after deployment' or 'during runtime', but SAST is static (non-executing) and DAST is dynamic (executing).