Why DAST and SAST is best combined for the AST approach, the reason is simple, it covers the matter in two key result areas (KRA) most people want to cover and demonstrate vulnerability management and for various regulatory compliance.
As most industries and sectors remain, have the practice for outsource and appoint 3rd parties to perform penetration testing, so you no need to double invest one more time in those areas, unless you are setting up red team operations.
When to begin, whether from DAST to SAST or SAST to DAST. This is for most beginners in the domain matter. If budget really did constraints, go with DAST, dynamic application security testing (DAST), despite modern day it is very difficult to provide useful vulnerability to be looked at for modern web application and secure framework, since developers have advanced their own web application and framework. It remains a good starting point and value for money web vulnerability scanner you can use for the said purpose. In particular for web vulnerability scanners come with manual testing and proxy, you can inspect and change the result by manipulating the parameter and the input to test or bypass all the web application defense developer is programming their web application to do so.
For typical enterprise where involved self develop the web application or other kind of application, SAST or static application security testing will be very productive tool, because it can be either use to plug-in your IDE Integrated Development Environment to perform secure code review at the very early stage of your software development lifecycle, or use it at the project code security testing phase. For enterprises that are also involved in developing mobile applications, you can use the SAST tool that supports your programming languages and perform the scan. For enterprises that have the ad hoc need, it also is helpful to get vendors to help perform the testing under the per project basis, that will help to clean up most of the potential secure coding concern at the very beginning.
Be noted for the trend toward cloud migration, and the continuous integration and delivery (CI/CD) and DevSecOps, you need to consider how the solution you select will work for you in the future as well.
E-SPIN Group in the enterprise ICT solution supply, consulting, project management, training and maintenance for multinational corporations and government agencies across the region E-SPIN do business. Application security testing (AST) domain is one of the core pillar of domain E-SPIN being active in supply and maintain for customers across the region since 2005, despite some product brand rise and fall, but E-SPIN continue to update their solution portfolio to provide best of breed world class solution that enterprise customers can be hassle free it will be in continue supply or replace with better along the usage lifecycle in your enterprise environment. Feel free to contact E-SPIN for your inquiry and requirements.