What is the difference between static and dynamic application security testing?

Static application security testing, or SAST, analyzes source code, bytecode, or binaries without executing the application, finding vulnerabilities like buffer overflows, injection flaws, and hardcoded credentials early in development. Dynamic application security testing, or DAST, tests the running application by sending crafted inputs and analyzing responses, finding runtime vulnerabilities like authentication flaws, configuration errors, and injection that only manifest during execution. SAST finds more issues earlier but produces more false positives.