Which security testing method reviews code while it is executing as the final product?

The correct answer is DAST, or Dynamic Application Security Testing, because this method focuses on testing applications while they are running. DAST is designed to simulate attacks on the application as it operates, thereby identifying vulnerabilities that could be exploited in a live environment. This approach allows security professionals to assess how the application functions in real-time, offering insights into potential security flaws that might not be visible in static code analysis.

DAST tools work like an external attacker, sending requests to the application and monitoring the responses to discover security vulnerabilities. Additionally, it evaluates how the application behaves under various conditions, examining the user interface and interactions typical in a production environment. This is particularly valuable for assessing real-world security risks and ensuring that all layers of the application are secure against threats.

In contrast, Static Application Security Testing (SAST) reviews the source code before the application is executed, which means it can identify issues during development but does not account for security problems that may arise during runtime. Interactive Application Security Testing (IAST) operates from within the application and can analyze both static and dynamic elements. While the FFIEC is an organization and does not represent a method of security testing, it provides guidance for banks and financial institutions.