SAST tools are not designed for API-centric applications and as such will produce inaccurate results.

API Security is a “black box” problem that requires human analysis

The second major challenge with SAST is that it operates in a black box fashion, meaning the tool has no visibility into what happens to data once it enters an application. This makes it difficult to detect vulnerabilities like Cross Site Scripting (XSS) or SQL Injection attacks since the tool only knows about how data flows through an application at its entry points. It cannot see where the data goes after this point so cannot determine if there are any vulnerabilities associated with its processing within the application itself

Back to Main