“Defense in depth” means having multiple layers of security. The idea is that something that sneaks through one layer will be caught at the next. The concept holds in application security. Although there is some overlap in PT and SAST analyses, each finds different types of security flaws, so the results are complementary.
With most sorts of human analysis, there are diminishing returns; more work leads to more insights, but it gets harder and harder to dig them out. Analysis turns up low-hanging fruit early, and less and less over time. In M&A due diligence, which is inherently time-constrained, the aim is to get a clear picture of how secure the software is, not necessarily to identify every individual flaw. A great benefit of pursuing two angles of analysis in parallel is that each produces its own results quickly, providing more insight than would have been achieved by spending more time on one technique.
Two independent tests are a good idea, but even more benefit can be gained from collaboration. A great practice is conducting a PT and SAST simultaneously on a given application, with the assessors informing each other on an ongoing basis throughout the engagements to prioritize directions to explore in more depth.
The amount of effort needed to test access controls and identify complex vulnerabilities is much greater for penetration testing by itself. SAST insights can provide a “blueprint” of areas to prioritize within the PT and explore in greater depth. If a SAST assessor identifies a poorly implemented functional area, or a particular setting is not disabled explicitly, they would point their PT colleagues to attempt an exploit. In this scenario, a PT might find that what looked like a minor flow was, in fact, a path to extract the entire database. Or they might find that the code contains even more exploitable security issues beyond the original SAST identification, escalating the severity of concern.
Similarly, penetration testing can help inform the SAST assessor. The “outside-in” nature of PT means that they can only infer what is lacking in the underlying code—clues as to the underlying problem—but a SAST assessor can run those down, often finding the cause and broader issues.