Which security testing approach is used to review source code and binaries without executing the application?

The approach that involves reviewing source code and binaries without executing the application is known as Static Application Security Testing (SAST). This technique allows security analysts to analyze the application's code for vulnerabilities by examining its structure, libraries, and source code directly. By not executing the application, SAST identifies potential security flaws early in the development process, enabling developers to rectify issues before deployment.

Static testing is beneficial because it can catch a wide range of issues related to coding standards, potential security vulnerabilities, and even logic errors that may not be apparent during dynamic testing, which requires executing the application. This proactive analysis is an essential part of ensuring the overall security posture of the software being developed.

In contrast, other testing approaches either involve executing the application or focus on behavior during runtime. For example, dynamic application security testing involves executing the application to find vulnerabilities as the application runs, while regression testing checks for new bugs in existing functions after changes have been made. Fuzz testing targets how an application responds to unexpected or random input during execution, which does not align with reviewing code or binaries without execution. Thus, the identification of Static Application Security Testing as the correct answer demonstrates an understanding of its fundamental role in secure application development.