Software Assurance & Validation
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.
Included in this chapter:
- Two axes that classify every security test
- SAST, DAST, IAST, SCA: when each finds what
- Functional, non-functional, QA, and abuse-case testing
- Exam-pattern recognition
Security testing methodologies: visibility axis and analysis axis
| Method | Knowledge of internals | Runs the app? | Finds the code line? | False positives | Primary blind spot |
|---|---|---|---|---|---|
| SAST (static) | White-box (source/bytecode) | No, analyzes at rest | Yes, exact line | High | Cannot tell which paths are reachable; misses runtime/config flaws |
| DAST (dynamic) | Black-box (external attacker) | Yes, attacks running app | No, reports behavior | Low | No code location; misses paths it never exercises |
| IAST (interactive) | Gray-box (instrumented runtime) | Yes, with in-process sensors | Yes, via sensors | Low | Limited language/runtime support; runtime overhead |
| SCA (composition) | Inventory of dependencies | No, scans components | Names the vulnerable library | Low | Only third-party code, says nothing about your own |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.