SAST tools are not designed for API-centric applications and so do not work well on them.

APIs Are Not Web Applications — They’re Microservices!

The other problem with SAST is that it was designed to be used against monolithic web applications, which have a single entry point (typically the homepage) and a clearly defined data flow path through the application. APIs, however, are constructed using microservice architectures which typically consist of multiple endpoints each performing different functions such as authentication or user management. This makes it difficult to create an accurate model of how data flows through the application since there may be multiple paths between any two points in the system making it impossible to determine where vulnerabilities lie without actually testing them

Back to Main