Exam CCAK topic 1 question 51 discussion

Rather than scanning code or binaries like SAST, DAST dynamically crawls through an application interface, testing how it reacts to various inputs. The good news is they tend to have low rates of false positives. DAST may require some time to fully scan code.

CCAK P# 355 - dynamic application security testing (DAST) dynamically crawls through an application’s interface, testing how it reacts to various inputs. DAST scanners cannot see what’s going on behind the scenes, but they offer valuable insight into how code behaves, and they can flush out errors other tests may not see in dynamic code paths

DAST is LOW rate false positives, p 355

It should be C because: A. Unlike SAST, DAST is a blackbox and programming language agnostic. - False. DAST is not programming language B. DAST can dynamically integrate with most CI/CD tools.. - False. SAST can be integrated. C. DAST delivers more false positives than SAST. Tue. DAST tends to generate more false positives than SAST. D. DAST is slower but thorough. False. Both can be slow.

A is correct: https://www.invicti.com/blog/web-security/dast-vs-sast-fact-check-on-static-and-dynamic-application-security-testing/ ...[D]ynamic application security testing (DAST) is a black-box testing methodology where a running application is tested from the outside. A DAST tool crawls the application and probes it for runtime vulnerabilities just like an attacker would. On the other hand, static application security testing (SAST) is a white-box security testing method that inspects the application source code to identify potential security vulnerabilities. ... SAST works on the application source code, so you need to have that code along with tools that support a specific programming language and web application framework.

Agree D.

Should be D. Rather than scanning code or binaries like SAST, dynamic application security testing (DAST) dynamically crawls through an application’s interface, testing how it reacts to various inputs. DAST scanners cannot see what’s going on behind the scenes, but they offer valuable insight into how code behaves, and they can flush out errors other tests may not see in dynamic code paths. The good news is they tend to have low rates of false positives. These tests are typically run against fully-built applications and they can be destructive, so the tools often include settings to vary between test and production environments. Like SAST, DAST may require some time to fully scan code, so in-line tests that gate a release are often run against new code only, and full application sweeps are run in parallel.