Application Security Testing Providers: SAST, DAST, and Beyond
Application security testing (AST) is a structured discipline within the cybersecurity services market focused on identifying vulnerabilities in software before and after deployment. The sector spans four primary testing methodologies — static analysis, dynamic analysis, interactive analysis, and software composition analysis — each serving distinct phases of the software development lifecycle. Regulatory frameworks from the Payment Card Industry Security Standards Council, the National Institute of Standards and Technology, and sector-specific agencies have elevated AST from a discretionary practice to a compliance obligation across finance, healthcare, and federal contracting. The Security Services Listings on this site catalogues providers operating across these methodologies.
Definition and scope
Application security testing encompasses automated and manual processes designed to detect security flaws in software code, running applications, third-party dependencies, and application programming interfaces. The discipline operates across two primary temporal frames: pre-deployment testing embedded in development pipelines, and post-deployment testing of live systems in staging or production environments.
NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, defines application testing as a core component of security assessment methodology, distinguishing it from network-layer and host-layer assessments by its focus on application logic, authentication mechanisms, and data handling within software layers.
The four canonical AST categories recognized by standards bodies and the vendor market are:
- Static Application Security Testing (SAST) — Analyzes source code, bytecode, or binary executables without executing the application. Operates on code at rest.
- Dynamic Application Security Testing (DAST) — Tests a running application from the outside by simulating attack inputs against live endpoints. Requires a deployed instance.
- Interactive Application Security Testing (IAST) — Instruments the application runtime to detect vulnerabilities during functional testing, combining elements of both SAST and DAST.
- Software Composition Analysis (SCA) — Identifies known vulnerabilities in open-source and third-party libraries embedded in the application's dependency graph, typically referencing the NIST National Vulnerability Database (NVD).
The scope of the AST services market extends to mobile applications, APIs, microservices architectures, and containerized workloads, each requiring methodology-specific tooling and expertise.
How it works
SAST tools operate by parsing source code or compiled artifacts and applying rule sets — mapped to vulnerability taxonomies such as the OWASP Top 10 or CWE/SANS Top 25 — to flag patterns associated with injection flaws, insecure deserialization, hard-coded credentials, and buffer overflows. Because SAST runs without executing code, it produces results early in the pipeline, at the cost of false positive rates that can range from 30 to 50 percent on unconfigured tools (NIST SP 800-115 background data on automated analysis reliability).
DAST tools send crafted HTTP requests, malformed inputs, and authentication probes to a running application, then analyze responses for indicators of SQL injection, cross-site scripting, broken access controls, and server misconfigurations. DAST has no access to source code; it observes only the application's external behavior. This limits its visibility into internal logic flaws but makes it effective at identifying deployment-layer vulnerabilities that SAST cannot detect.
IAST agents are injected into the application runtime — typically a Java, .NET, or Node.js process — and monitor execution flows, taint propagation, and data paths in real time during test execution. IAST produces lower false positive rates than either SAST or DAST in isolation because it combines code-path knowledge with observed runtime behavior.
SCA operates as a dependency audit: the tool ingests a manifest file (package.json, pom.xml, requirements.txt), resolves the full dependency tree, and cross-references each component against vulnerability databases. The NVD, maintained by NIST, and the OSS Index maintained by Sonatype are the two most referenced public sources for SCA lookups. The Executive Order 14028 on Improving the Nation's Cybersecurity — published in the Federal Register in May 2021 — mandated software bill of materials (SBOM) practices for federal software suppliers, directly expanding enterprise SCA program adoption.
Common scenarios
AST services are procured across three primary operational contexts:
DevSecOps pipeline integration — Enterprises embed SAST and SCA tooling into CI/CD pipelines so that each code commit triggers automated security analysis before build artifacts progress to staging. DAST scans run against staging environments prior to production release.
Compliance-driven assessments — Organizations subject to PCI DSS Requirement 6.3.2 must maintain an inventory of bespoke and custom software and protect them from attacks. Requirement 6.2.4 mandates that software development practices prevent common vulnerabilities. Healthcare entities subject to HIPAA Security Rule provisions at 45 CFR § 164.306 commission periodic AST assessments as part of addressable technical safeguard obligations.
Pre-acquisition and third-party due diligence — Organizations assessing a software vendor or acquiring a software asset conduct AST as part of technical due diligence, using SAST and SCA to quantify inherited vulnerability debt before contract execution.
Penetration testing augmentation — Manual application penetration testers use DAST tooling alongside manual techniques. The security-services-directory-purpose-and-scope reference explains how penetration testing providers are classified separately from automated AST-only vendors in the service directory.
Decision boundaries
Selecting an AST methodology or provider depends on four structural variables: access to source code, stage in the development lifecycle, regulatory mandate specificity, and acceptable false positive tolerance.
| Criterion | SAST | DAST | IAST | SCA |
|---|---|---|---|---|
| Requires source code | Yes | No | No | Yes (manifest) |
| Requires running application | No | Yes | Yes | No |
| Development phase | Pre-deployment | Post-deployment | During testing | Any |
| Detects dependency CVEs | No | Indirectly | Indirectly | Yes |
| False positive burden | High | Moderate | Low | Low |
Provider qualifications vary by methodology. For federal agency contracts, AST providers may be evaluated against NIST SP 800-53 Rev. 5 control family SA (System and Services Acquisition), specifically SA-11 (Developer Testing and Evaluation), which specifies requirements for code analysis, vulnerability scanning, and penetration testing as part of system development contracts.
The distinction between tool-only vendors and full-service AST providers is functionally significant. Tool vendors license platforms; full-service providers combine tooling with analyst interpretation, remediation guidance, and attestation documentation. Regulated industries — particularly those subject to FedRAMP authorization requirements or PCI Qualified Security Assessor (QSA) oversight — typically require full-service engagements with documented methodology and findings reports. The how-to-use-this-security-services-resource reference explains how provider classifications in this directory reflect those service-model distinctions.
References
- NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
- NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
- NIST National Vulnerability Database (NVD)
- OWASP Top 10
- CWE/SANS Top 25 Most Dangerous Software Weaknesses
- PCI Security Standards Council — PCI DSS
- 45 CFR § 164.306 — HIPAA Security Rule, Technical Safeguards
- Executive Order 14028: Improving the Nation's Cybersecurity — Federal Register