SAST tools are not designed for API-centric applications and as such do a poor job of detecting vulnerabilities within them.
Discription
API Security testing is different from web app security testing
The OWASP Top 10 list for APIs includes the following: Cross Site Request Forgery (CSRF), Broken Authentication and Session Management, Sensitive Data Exposure, Insufficient Transport Layer Protection, XML External Entities (XXE), Insecure Deserialization, Using Components with Known Vulnerabilities, Improper Error Handling and Missing Function Level Access Control. These issues are all well understood by AppSec teams who have been dealing with these problems since before they were even called AppSec teams
https://t.co/UlDMDyrowF
References
Back to Main