Table A7. RQ1: findings for OWASP top 10:2021 risk categories (number of web applications).
| OWASP category | Only SAST tools | Only DAST tools | Both approaches |
|---|---|---|---|
| A01:2021 Broken Access Control | 0 | 75 | 0 |
| A02:2021 Cryptographic Failures | 14 | 3 | 1 |
| A03:2021 Injection | 7 | 0 | 68 |
| A04:2021 Insecure Design | 3 | 22 | 0 |
| A05:2021 Security Misconfiguration | 0 | 2 | 73 |
| A06:2021 Vulnerable and Outdated Components | 1 | 58 | 0 |
| A07:2021 Identification and Authentication Failures | 16 | 0 | 0 |
| A08:2021 Software and Data Integrity Failures | 1 | 12 | 0 |
| A09:2021 Security Logging and Monitoring Failures | 0 | 0 | 0 |
| A10:2021 Server-Side Request Forgery (SSRF) | 3 | 2 | 0 |