WAFs don’t work well with APIs either

Web Application Firewalls (WAF) are another common tool used by AppSec teams to protect web applications from external attack, and they too suffer from the same problem as SAST tools in that they were not designed for use with APIs. WAFs typically inspect HTTP requests and responses looking for patterns of attacks such as SQL injection or cross site scripting (XSS). Unfortunately, this approach doesn’t work very well with APIs since most modern frameworks do a good job of protecting against these types of attacks at the framework level
https://t.co/zes6JbuT0U