However, these tools have downsides that may cause more challenges for DevOps teams:
SAST has difficulties scanning and reporting on cloud-native applications because static tools only see the application source code it can follow. As more cloud-native apps are now developed with libraries and third-party components, this generates failures in the tool processing these links.
DAST interactively testing the applications from the outside requires the application to be fully built upon every code change. As DAST requires the application to be fully built upon every code change, this prevents the application from fitting well into an agile CI/CD pipeline. It also only provides an external view of security, while forgoing what’s happening inside the application.
Both SAST and DAST are older technologies which provide less effective security for cloud-native applications and can impede on faster agile deployment strategies where DevOps teams require security tools to keep up with the pace of development.
IAST is an evolution to combine
Read the article