Which security testing approach is used to review source code and binaries without executing the application?

The chosen approach is Static Application Security Testing (SAST), which involves reviewing the source code and binaries of applications without executing them. This method is critical for identifying security vulnerabilities early in the development process, as it allows developers to analyze the codebase for potential weaknesses, such as coding errors or insecure coding practices, before the application is deployed in a live environment.

By examining the actual code, SAST tools can detect issues like buffer overflows, SQL injection vulnerabilities, and cross-site scripting (XSS) without the need to run the application. This proactive form of testing helps ensure that security measures are built into the software from the ground up, facilitating a more secure end product.

Other approaches, such as dynamic application security testing (DAST), focus on evaluating a running application to identify vulnerabilities during its execution, which is fundamentally different from the static analysis performed in SAST. Regression testing and fuzz testing also serve alternative purposes within the realm of software testing and security, but do not specifically address the need to examine source code without executing the application.