Which approach is considered a black-box security testing method?

Dynamic application security testing (DAST) is recognized as a black-box testing method because it evaluates an application in its running state without access to the underlying source code. This approach simulates how an attacker would interact with the application, focusing on its behavior during operation. Testers use DAST to identify vulnerabilities that may be exploited during execution, such as input validation issues or security misconfigurations, making it a practical method to assess an application’s security stance from the outside.

In contrast, static application security testing and source code review analyze the code and binaries directly, which provides insights into potential issues based on the code structure rather than real-time execution. Binary code inspection also deals with low-level code analysis but is still considered more invasive than dynamic testing as it examines the compiled code rather than assessing security in a live environment. Therefore, DAST's focus on running applications without prior knowledge of the codebase defines it as a true black-box security testing method.