SAST tools are not designed for API-centric applications and thus have a higher rate of false positives.

APIs are different from web apps in terms of data flow, so SAST is less accurate on APIs than it is on web apps.

API Security Testing Tools Are Not up to the Job Either…
API security testing tools suffer from similar limitations as SAST since they were also designed with web application in mind. For example, OWASP ZAP (a popular open source tool) has an “Auto Discovery” feature which scans a local network for HTTP endpoints and then attempts to identify them via their URL structure e.g., /api/v1/users/

Back to Main