Since the dawn of application security a quarter-century ago, the discipline has been defined by the combination of two necessary but insufficient approaches to finding and fixing vulnerabilities in software: static analysis (SAST) and dynamic analysis (DAST). Almost every AppSec organization must employ some version of both tactics, as they can each help to mitigate the other’s well-known drawbacks.

Yet, the persistent challenge in application security since its inception has been the inability to automatically correlate results between tools in each category, resulting in a high degree of manual triage, inefficiency, and coverage gaps. Attempts to resolve the correlation problem through highly opinionated technologies like IAST have consistently faced high barriers to adoption, especially in technically diverse environments.

But this perennial headache of AppSec professionals may finally have a cure on the way. Recent advances in AI and machine learning, combined with the availability of new data streams such as eBPF, have opened a new window of opportunity for innovation in the field of DAST/SAST correlation, and a new race is underway to finally solve application security’s trickiest problem once and for all.

Join Snyk, the leader in Developer Security and AI Trust, for a discussion of:

- Why do most organizations require both DAST and SAST tools rather than standardizing on one or the other?

- What have been the traditional barriers to correlating vulnerability results between the two technologies, and why does this drive inefficiency and coverage gaps within AppSec programs?

- How is the developer experience (DevEx) negatively affected by the lack of DAST to SAST correlation?

- Why have historical attempts to solve this problem largely been unsuccessful?

- What new technologies and techniques have prompted renewed pursuits of DAST/SAST correlation among security vendors, and is there hope on the horizon?

- What opportunities will trustworthy, automated vulnerability correlation unlock for the future of application security practice?