Static Application Security Testing (SAST) is an automated technique that analyses source code, bytecode or binary code to identify security vulnerabilities without executing the application. SAST tools scan for common weaknesses such as SQL injection, cross-site scripting, buffer overflows and insecure cryptographic usage, typically integrating into the development pipeline as part of a shift-left security strategy.
By catching vulnerabilities early in the development lifecycle, SAST significantly reduces the cost and effort of remediation compared to finding issues in production. For optimal coverage, organisations often combine SAST with dynamic testing methods and manual code reviews, creating a comprehensive application security programme that satisfies compliance requirements under standards like ISO 27001 and SOC 2.