Hours for live chat and calls:
Sun 8 p.m. - Fri 8:30 p.m. CST
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Application Security Testing, or AST, is testing, analyzing, and reporting the security level of an application as it moves from early development stages through deployment and maintenance.
An effective AST program incorporates products, services, and solutions that continuously assess and address application vulnerabilities through the entire software development life cycle. An AST program should:
Successful AST programs go beyond automation — agencies also need to hire cybersecurity experts to manually analyze how government applications work and how they can be exploited. Each agency may have a different approach to their AST program, and GSA's contract options offer a variety of sophisticated tools that statically and dynamically analyze applications for detectable weaknesses.
Agencies can buy AST products and services through our technology contracts and purchasing programs:
You can find the services that best align with your AST program needs on this summary sheet [PDF - 228 KB], which provides an overview of AST and related GSA solutions.
Our Application Security Testing buyer's guide [PDF - 879 KB] provides key considerations when implementing an AST program. It also helps agencies identify and procure AST offerings to improve their application security posture.
To make your acquisition experience easier and more efficient, our AST Statement of Work template [DOCX - 37 KB] provides typical language for a cybersecurity solicitation and examples of specific activities and deliverables associated with AST services.
The template aligns with the Highly Adaptive Cybersecurity Services RFQ template [DOCX - 58 KB], so you can copy and paste information from the AST SOW template directly into Sections 3.0 and 4.0 of the RFQ Template as part of a larger cyber services requirement.