Semgrep eventsApplication security loves a good acronym, and few have shaped the space quite like SAST and DAST. For years, security teams have debated which approach actually moves the needle: static analysis that catches bugs early in development; or dynamic testing that validates vulnerabilities in running applications.
But the modern AppSec pipeline is more complicated than ever. Teams are juggling dozens of tools, developers are pushing code faster than security teams can review it, and we haven’t even gotten started on the seismic landscape shifts that AI is creating.
SAST promises early detection and developer-friendly fixes, while DAST offers real-world validation and fewer theoretical findings. Both claim to be essential. Both claim to be misunderstood. And now both are grappling with the growing impact of AI in AppSec.
In this episode of Security Rulez, Dr. Katie Paxton-Fear goes head-to-head with Alexandra Charikova – AppSec Community leader at Escape, organiser of OWASP and BSides conferences, and host of The Elephant in AppSec podcast.
But here’s the twist: Instead of only defending their home turf, they’ll also take the opposite sides – Dr Katie arguing for team DAST, and Alexandra for SAST. Expect strong opinions, constructive disagreement, and a few uncomfortable truths about how security tools actually get used in practice.
To stimulate the debate, we’ll be covering questions such as:
If you could only pick one, would SAST or DAST actually reduce more real risk?
Are static tools unfairly blamed for developer friction?
Is dynamic testing too late in the lifecycle to truly matter?
Are we debating the wrong problem entirely when we argue about tools instead of workflows?
And in a world of modern pipelines, do AST tools still matter, or are we heading toward something completely different?