You do not need to do DAST in a pipeline to do DevSecOps

Dynamic scanning tools, while useful, are not essential in a CI/CD pipeline to achieve effective DevSecOps. Dynamic analysis involves interacting with a running system to identify vulnerabilities, yet it has limitations such as "black box" testing, where the code is not visible, potentially leading to incomplete coverage. Dynamic Application Security Testing (DAST) tools automate this process, but are not always necessary, as they can miss attack surfaces and produce false positives, especially if operated by unskilled personnel. Alternatives like static analysis, penetration testing, and modern API-specific tools can provide comprehensive security coverage, tailored to the unique needs of an organization. The key to successful DevSecOps is integrating security practices that align with DevOps processes, providing fast feedback, optimizing system efficiency, and fostering constant improvement. Each organization should focus on what delivers the best results for them, considering their specific requirements and constraints, rather than strictly adhering to vendor recommendations or industry trends.