SAST tools are not designed for API-centric applications and therefore have a higher false positive rate.
Discription

API Security Testing is more complex than SAST

SAST works by examining the source code of an application to determine where it may be vulnerable to external attack, but this does not take into account how the data flows through the system. For example, if you were to examine a typical web application using SAST you would find that all requests go via HttpRequest.Body which is typically constructed from user input (such as form fields) or other sources such as cookies or headers. This means that any vulnerabilities in these areas can be detected by SAST since they will appear in the source code of an application
https://t.co/fjxx11Bl0F

Back to Main