IAST - Code Curmudgeon

IAST is interactive application security testing. It’s also been known variously as hybrid security testing, gray-box, and glass-box. This technique blends the inside-out approach of SAST with the outside-in approach of DAST to give you deep code-level visibility of a running application while it’s in a real running state. This helps reduce false positives but still has the thoroughness limitations of black-box techniques in that it’s only as good as the test suite being run in terms of coverage.

Definitioner

IAST

IAST is interactive application security testing. It's also been known variously as hybrid security testing, gray-box, and glass-box. This technique blends the inside-out approach of SAST with the outside-in approach of DAST to give you deep code-level visibility of a running application while it's in a real running state. This helps reduce false positives but still has the thoroughness limitations of black-box techniques in that it's only as good as the test suite being run in terms of coverage.

Interactive Application Security Testing (IAST)

DAST

DAST tests an application for security vulnerabilities by monitoring and probing an application while it is actually running - thus the dynamic test. DAST starts from inputs and is a black-box or external view. This gives is a very realistic view of application behavior, but is difficult to be completely thorough. Penetration testing or pen-test is a common form of DAST.

SAST

SAST is security testing that is done on source, byte-code, or binaries but without actually executing them - thus the "static" testing. Typically this includes things like software metrics, static code analysis and even peer review. SAST provides a white-box or inside view to the application. It can both find possible vulnerabilities and weaknesses by looking for anti-patterns as well as enforcing secure software engineering standards by looking for proper patterns.