The history of the OWASP Top 10 through the years: https://www.hahwul.com/cullina...

Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?

@Andrew Van Der Stock thanks, I’ll be sure to look for it.

@Evgeny Belenky You are correct,  But DAST is more about proving SAST findings to remove any doubt. I prefer to use a 'directed' DAST approach to keep it fast and in-band to the pipeline.  By 'Directed' I mean, we have a map of endpoints and associated vulns from our SAST…

I’m not sure the top 10 is changing this year but if it is it will be to squeeze more stuff in ;-).  To effectively detect these in a web app you need a status analyzer with deep data flow analysis. I joined ShiftLeft because I felt they had the best tool to change the way…

I suppose it depends on just how 'bogus' they are. If they are truly 'bogus' then you are likely looking at a trojan. If, however, we are just talking about a 'bad' security tool then you are talking about trying to manage your security with bad or missing information.

I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx. 

It’s a false choice of a question but DAST exist because folks don’t trust their SAST tool. DAST is good about true positives but bad about false negatives. SAST just has a reputation for false positives but a new generation of SAST tools do a much better job.

If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.

Application Security solutions need to work for developers and facilitate their interaction with AppSec including things like training/education. It needs to be fast enough to work on the main CI/CD pipeline and it needs to be trustworthy.