When does static application security testing require access to source code?