Dynamic Application Security Testing (DAST) exercises a running application with crafted inputs and analyzes the responses to uncover runtime‐layer flaws such as SQL injection, file-path inclusion (FRI), and cross-site scripting (XSS). Because it is performed throughout development and before production release, it supports the “security-by-design” objective of identifying and remediating vulnerabilities early in the software development life cycle.

A. Reverse engineering – Focuses on dissecting compiled binaries (often third-party or malicious code) rather than proactively finding vulnerabilities in software the organization is developing.

B. Known environment testing – Not an established security-testing methodology; offers no systematic process for detecting web-application vulnerabilities like injection or XSS.

D. Code debugging – Aims to correct logic or syntax errors; it lacks the automated attack simulation and vulnerability signatures required to expose security flaws such as SQLi or XSS.

1. NIST SP 800-115

“Technical Guide to Information Security Testing and Assessment

” §4.6.1 Dynamic Testing

pp. 4-7–4-9 – describes using dynamic analysis to detect SQLi

XSS

and file-inclusion flaws.

2. NIST SP 800-218 Rev.1

“Secure Software Development Framework

” Practice PO.3.3 & PO.4.2 – mandates dynamic analysis during development to identify injection and scripting vulnerabilities.

3. MIT OpenCourseWare 6.858 (Computer Systems Security)

Lecture 4 slides 34-36 – presents DAST tools (e.g.

Burp

ZAP) for finding runtime web-application flaws such as SQLi and XSS.