Which statement correctly distinguishes Static (SAST) and Dynamic (DAST) analysis of vulnerabilities?

Understanding how SAST and DAST differ in approach and what they examine is being tested. Static analysis inspects the code or artifacts without executing the program; it scans source code, bytecode, or binaries to identify insecure patterns, risky usage, or misconfigurations embedded in the code. Dynamic analysis runs the application and tests its behavior at runtime, typically by feeding inputs and observing responses, errors, and overall behavior. This helps reveal issues that only appear during execution, such as runtime input handling, authentication flows, or deployment/configuration problems. Because of this, static analysis can catch flaws early in development before deployment, while dynamic analysis finds issues in the live system. The two techniques are complementary, covering both code-level flaws and runtime behavior. The other options don’t reflect this distinction.