SAST (Static Application Security Testing) analyses an application’s source code for security vulnerabilities without executing it. Typical findings include SQL injection, cross-site scripting, hard-coded passwords, and insecure cryptographic calls. SAST can be integrated early in the development pipeline — ideally as part of the CI/CD pipeline. This gives you feedback during development, significantly reducing remediation costs. In an ISMS, SAST is a control for secure software development per ISO 27001 Annex A 8.25. Combined with DAST you cover both static and dynamic vulnerabilities.