Knowing which tool to use depends in part on the type of code being tested. For example, SAST tools are often used for source code analysis, which typically requires access to the application source code. As such, these tools are often used to analyze in-house custom-developed applications. In contrast, DAST tools are typically used for analysis of software in its running state, often in cases where the testers do not have access to the source code.
IAST tools analyze potential security vulnerabilities from within the application, typically in its running state, using software instrumentation and a combination of DAST and SAST techniques. IAST tools are becoming popular in agile development and DevOps environments characterized by continuous integration/continuous development (CI/CD) activity.
SCA tools are often used to analyze common (widely used) software components and libraries and are becoming popular for testing open source software.
Many of these tools can be used in conjunction with each other – although mixing tools from different vendors can pose compatibility and integration challenges.