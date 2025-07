Web applications continue to be the attack surface of choice for hackers attempting to access sensitive data. Per the “2020 Data Breach Investigations Report” from Verizon, successful attacks on web applications accounted for nearly half of all data breaches (43%), representing the single greatest cause of such breaches, and more than double the rate of the previous year.1

Organizations clearly need to secure their web applications before they are deployed in production. But while development and application security (AppSec) teams often use static application security testing (SAST) and software composition analysis (SCA) solutions to identify security weaknesses and vulnerabilities in proprietary and open source code, they do so statically, at the code or component level. Many vulnerabilities can only be detected by dynamically testing an application during runtime test and release phases.

That’s why many organizations use dynamic application security testing (DAST) or penetration testing. DAST and penetration testing tools are run during QA or a late stage of production to detect vulnerabilities that can’t be found using SAST or SCA tools.

Additionally, while DAST and penetration testing can identify security vulnerabilities, they can’t pinpoint the lines of code containing the vulnerabilities. As a result, critical security issues identified by DAST can be problematic to fix and take a long time to resolve, putting remediation out of reach for the average developer.