Which application security testing methodology occurs during execution of the code?

Dynamic Application Security Testing (DAST) is the methodology that occurs during the execution of the code. This approach involves testing a running application from the outside while it is operational, simulating the actions of an attacker to identify vulnerabilities that may be exploited in real-time conditions.

DAST tools interact with the application in its current state, allowing testers to observe how the application behaves when subjected to various inputs and conditions. This provides insights into security issues that could arise from operational scenarios, making it a critical component of identifying runtime vulnerabilities such as those involving session management, authentication, and input validation flaws.

In contrast, Static Application Security Testing (SAST) analyzes source code or binaries without executing the application, focusing on potential vulnerabilities at the code level. Interactive Application Security Testing (IAST) combines elements of both SAST and DAST but typically operates in a more limited context, often requiring the application to be instrumented for testing. Manual Code Inspection involves reviewing the source code manually for security issues, which also does not involve running the application itself.

Therefore, DAST is unique in that it provides a perspective on security vulnerabilities that can only be identified when the application is live and operational, making it vital for comprehensive application security assessments.