SAST tools are not designed for API-centric applications and as such do a poor job of detecting vulnerabilities within them.
Discription

API Security testing is different from web app security testing

The OWASP Top 10 list for APIs includes the following:  Cross Site Request Forgery (CSRF), Broken Authentication and Session Management, Sensitive Data Exposure, Insufficient Transport Layer Protection, XML External Entities (XXE), Insecure Deserialization, Using Components with Known Vulnerabilities, Improper Error Handling and Missing Function Level Access Control. These issues are all well understood by AppSec teams who have been dealing with these problems since before they were even called “AppSec” teams
https://t.co/UlDMDyrowF

Back to Main

Subscribe for the latest news: