Compare SAST, DAST, SCA, and IAST — what does each find, their false-positive profile, and where they sit in the pipeline?

SAST (static) analyzes source/bytecode without running it — finds injection, hardcoded secrets, insecure patterns early in CI; high coverage but noisy (false positives) and can't see runtime/config issues. DAST (dynamic) attacks a running app from outside — finds real, exploitable issues (auth, injection, headers) with low false positives but limited coverage and needs a deployed environment, so it runs later (staging/nightly). SCA (software composition analysis) inventories third-party dependencies and flags known-vulnerable versions / license issues — essential because most code is dependencies; watch for false positives when a vulnerable function isn't actually reachable. IAST instruments the app during testing to combine static + runtime context — fewer false positives than SAST, but requires agents and test traffic. Layer them: SCA + SAST in PR/CI, DAST/IAST against running builds, pentest for depth.