APIs Are Not Web Applications

Web applications typically have a single entry point (typically the homepage) which is used to access all of the functionality provided by an application. This means that SAST can be applied to web applications with reasonable accuracy since they share similar data flow paths through the application. However, this is not true of APIs where there may be multiple entry points into an API depending on how it has been configured or invoked by client code
https://t.co/HVQNTJDVwD