SAST tools are not designed for API-centric applications and therefore have a higher false positive rate.

API Security Testing is more complex than SAST

SAST works by examining the source code of an application to determine where it may be vulnerable to external attack, but this does not take into account how the data flows through the system. For example, if you were to examine a typical web application using SAST you would find that all requests go via HttpRequest.Body which is typically constructed from user input (such as form fields) or other sources such as cookies or headers. This means that any vulnerabilities in these areas can be detected by SAST since they will appear in the source code of an application

Back to Main