Certified Information Systems Auditor (CISA) — Question 1148

Which type of testing is used to identify security vulnerabilities in source code in the development environment?

Answer options

• A. Dynamic analysis security testing (DAST)
• B. Interactive application security testing (IAST)
• C. Static analysis security testing (SAST)
• D. Runtime application self-protection (RASP)

Correct answer: C

Explanation

Static analysis security testing (SAST) examines source code for vulnerabilities without executing the program, making it ideal for early detection in the development environment. Dynamic analysis security testing (DAST) evaluates running applications, while interactive application security testing (IAST) combines both static and dynamic techniques. Runtime application self-protection (RASP) focuses on protecting applications during execution, rather than identifying vulnerabilities in the code itself.