Which type of testing analyzes source code for security vulnerabilities without executing the program?
SAST analyzes source code without execution.
Why this answer
Static Application Security Testing (SAST) analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. It operates by scanning the codebase for known patterns, such as SQL injection or buffer overflow, using techniques like data flow analysis and taint tracking. This white-box approach identifies issues early in the Software Development Life Cycle (SDLC), making it the correct answer for testing that does not require runtime execution.
Exam trap
The trap here is that candidates confuse SAST with DAST because both are automated security testing tools, but SAST is static (no execution) and DAST is dynamic (requires execution), and the question explicitly states 'without executing the program' to eliminate DAST.
How to eliminate wrong answers
Option B (Interactive Application Security Testing, IAST) is wrong because IAST requires the application to be running and instruments the code during execution to detect vulnerabilities, often combining elements of SAST and DAST. Option C (Penetration testing) is wrong because it is a manual or automated black-box/gray-box test that actively exploits vulnerabilities in a running system, not analyzing source code statically. Option D (Dynamic Application Security Testing, DAST) is wrong because it tests the application from the outside while it is executing, typically by sending HTTP requests and analyzing responses, without access to the source code.