Domain 4 of 6 · Chapter 4 of 7

Software Assurance & Validation

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • Two axes that classify every security test
  • SAST, DAST, IAST, SCA: when each finds what
  • Functional, non-functional, QA, and abuse-case testing
  • Exam-pattern recognition

Security testing methodologies: visibility axis and analysis axis

MethodKnowledge of internalsRuns the app?Finds the code line?False positivesPrimary blind spot
SAST (static)White-box (source/bytecode)No, analyzes at restYes, exact lineHighCannot tell which paths are reachable; misses runtime/config flaws
DAST (dynamic)Black-box (external attacker)Yes, attacks running appNo, reports behaviorLowNo code location; misses paths it never exercises
IAST (interactive)Gray-box (instrumented runtime)Yes, with in-process sensorsYes, via sensorsLowLimited language/runtime support; runtime overhead
SCA (composition)Inventory of dependenciesNo, scans componentsNames the vulnerable libraryLowOnly third-party code, says nothing about your own

Decision tree

Testing third-partylibraries or dependencies?SCACVEs + license auditYesHave the source code/ testing before deploy?No (own app code)Need low false positivesAND the exact code line?Yes, source availableDASTrunning app, no sourceNo / black-boxSASTstatic, line + early; many FPsNo, earliest scanIASTinstrumented runtimeYes, can instrumentAlways pair with abuse-case testing from the threat model

Cheat sheet

  • Classify a test by two independent axes: visibility and what it analyzes
  • SAST reads source at rest and pinpoints the vulnerable line
  • DAST attacks the running app and confirms exploitability but not the line
  • IAST instruments the runtime to get low false positives plus the code line
  • SCA inventories third-party components, the code you did not write
  • SAST and DAST are complements, not substitutes
  • Black-box is the attacker's no-source view; white-box has full internals
  • Functional testing proves the feature works; security is non-functional
  • Abuse-case testing flips a use case into what an attacker must not achieve
  • Abuse cases come from the threat model, not improvised
  • Quality assurance gates the release against defined exit criteria
  • Anchor secure-testing decisions to OWASP guidance and ASVS
  • Map the stem's clue to exactly one method
  • Reachability analysis and runtime/severity ranking focus SCA remediation on real risk
  • Place SCA before SAST and DAST, and pull from a golden repository of vetted components
  • Run DAST against a production-equivalent staging environment, never live production
  • DAST output is made actionable by triaging, deduplicating, and suppressing verified false positives
  • SAST cannot find authorization or business-logic flaws and over-reports on external code

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. OWASP Web Security Testing Guide (WSTG)
  2. OWASP Source Code Analysis Tools (SAST)
  3. OWASP DevSecOps Guideline — Dynamic Application Security Testing (DAST)
  4. NIST National Vulnerability Database (NVD / CVE)