How SAST tools tackle the OWASP API Top 10

Why it matters

OWASP refreshed its API Top 10 in 2023, and recent breach reports show BOLA, broken authentication, and excessive data exposure are still the top three culprits. Static analysis catches many of these flaws before runtime by inspecting OpenAPI and GraphQL schemas.

Use the OpenAPI security scanner to flag missing auth, unbounded pagination, or unvalidated parameters long before an attacker probes production.

Static vs dynamic coverage

Dynamic scanners excel at finding runtime misconfigurations, but they cannot see design-time issues like absent security schemes, overly permissive response schemas, or undocumented endpoints. SAST inspects the contract itself, ensuring every route is authenticated, rate limited, and constrained.

Pair static scans with runtime tests: trigger DAST or fuzzing only after specs pass design checks. This keeps noisy false positives out of your CI logs.

Risk-by-risk checklist

• BOLA / Broken object level auth: Ensure every path includes auth and object ownership checks; avoid wildcard IDs. APISAST warns when path parameters are not bound to security scopes.
• Broken auth: Require OAuth2 or mTLS, enforce token expiry, and avoid shared secrets in query strings.
• Excessive data exposure: Document response schemas precisely; disallow wildcard additionalProperties when returning user data.
• Lack of rate limiting: Include 429 responses and header quotas in each operation.
• Broken function level auth: Map scopes to operations; APISAST flags public operations inside admin tags.
• Server-side request forgery: Validate upstream URLs and restrict callbacks; static checks catch missing allowlists.
• Security misconfiguration: Require TLS, set CORS restrictions, and specify accepted content types.
• Injection: Use parameter schemas with format validators; avoid free-form strings for IDs.
• Improper assets management: Keep versions and deprecations in sync; stale endpoints become zombie APIs.
• Logging & monitoring failures: Add consistent error models so monitoring tools can parse anomalies.

Workflow example

Add a CI job that runs API security SAST tools on every pull request. Block merges on high severity findings, but allow developers to download a remediation report with code snippets. After deployment, schedule a weekly DAST scan and compare findings against the static baseline.

Best practices

• Keep one canonical OpenAPI spec per service; avoid drift.
• Tag sensitive operations and bind them to narrow scopes.
• Return RFC 7807 problem details for predictable monitoring.
• Cross-link findings to the SAST testing for APIs guide.
• Offer a self-service scan so consumers can verify your contract.