SAST (Static): analyzes source code without running — finds injection flaws, hardcoded credentials early in SDLC.
DAST (Dynamic): tests running application — finds runtime issues, server-side auth flaws, configuration problems.
SAST + DAST are complementary. SAST: earlier, cheaper to fix, high false positive rate, needs source code. DAST: more realistic, finds runtime issues, no source code needed, misses logic inside functions. Both should be in CI/CD pipeline. IAST (Interactive) combines both approaches.