After this lesson, you will be able to: Distinguish SAST/DAST/IAST tools, know when WAFs help, and analyze HTTP traffic with browser DevTools.
Tools and infrastructure round out AppSec, they catch bugs at scale and block attacks at runtime. Knowing which tool to apply where saves time and budget.
SAST (Static Application Security Testing), reads source code looking for bug patterns. Fast, false-positive-prone, runs at code-commit. DAST (Dynamic), attacks a running app, observes responses. Slower, fewer false positives, runs against staging. IAST (Interactive), instruments the running app, watches data flow. Most accurate, requires deployment overhead.
A WAF inspects HTTP traffic and blocks known attack patterns before they reach the app. Cloud WAFs (Cloudflare, AWS WAF) sit at the edge; software WAFs (ModSecurity) sit in front of the app. Pros: stops 90% of automated attacks instantly. Cons: clever attackers bypass WAFs, and WAFs cause false positives that block real users.
DevTools is free, built-in, and enough for many investigations.
Open the site you're testing
F12 to open DevTools, switch to the Network tab
Reload the page
Click any request, look at Headers, Cookies, Timing
Look at Request payload (POST data) and Response
Use Edit and Resend (right-click on a request) to test small modifications
A mature program runs SAST + SCA on every commit, DAST against staging weekly, has a WAF in production, runs a bug bounty, and trains developers continuously. Each layer catches bugs the others miss.
SAST, DAST, manual pen test, or WAF?
Sign in and purchase access to unlock this lesson.