SAST and DAST timing and source code access
2025-hsc-se-q13 · Dropdown Table · 2 marks
Source: NESA 2025 HSC Software Engineering HSC Q13
Question
A software developer plans to use static application security testing (SAST) and dynamic application security testing (DAST) to check an application that is being developed.
Select the correct entries to complete the table.
Complete the table
| Most appropriate timing | Source code access | |
|---|---|---|
| SAST | ||
| DAST |
Reveal answer
| Cell | Answer |
|---|---|
| SAST timing | before execution |
| SAST source code access | required |
| DAST timing | during execution |
| DAST source code access | not required |
Marking rubric
| Marks | Description |
|---|---|
| 2 | Correctly identifies the timing and source code access for each strategy. |
| 1 | Correctly identifies the timing and source code access for one strategy, or correctly identifies the timing for each strategy. |
Explanation
SAST analyses source code or binaries without running the application. DAST tests the running application from the outside and does not require source code access.
Metadata
- Submitter
- Seed data
- Created
- 2026-05-02
- Status
- published
- Syllabus
- y12-secure-code-security-strategies
- Tags
- SAST DAST security testing source code access