API Security Testing is a “Black Box” Problem

The second problem with SAST is that it only provides information about the vulnerabilities in an application, and does not provide any insight into how to fix them. This means that AppSec teams need to use other testing methods such as penetration tests (which can be very expensive) or manual code reviews which are time consuming and error prone. 

tl;dr: SAST doesn’t tell you how to fix your vulnerabilities, so you need another way of finding out what needs fixing
https://t.co/CJiPVQYHBl