The focus of many application security programs has long been the OWASP Top 10 or SANS Top 25 vulnerabilities. While there are many SAST solutions that can identify these technical vulnerabilities such as SQLi, CSRF or XEE, SAST is not effective in identifying vulnerabilities that require context such as conditions leading to business logic, data leakage or hard-coded secrets.
While pattern-matching techniques can be used to identify the symptoms of an injection vulnerability across any code-base, pattern-matching is not sufficient for business logic, data leakage or hard-coded secrets because these issues are unique to each code-base. Manual code review or penetration testing can help, but neither scales to the pace of modern release velocities.