Abstract
Application Programming Interfaces (APIs) have become a fundamental part of modern software systems, enabling communication between services and supporting the exchange of sensitive data across applications. At the same time, APIs remain exposed to serious security vulnerabilities, including SQL Injection, Cross-Site Scripting (XSS), and Buffer Overflow. Static analysis tools are widely used to help detect such weaknesses during development, but their practical effectiveness varies across vulnerability types, code contexts, and project environments. This dissertation evaluates how effectively selected SATs detect these vulnerabilities in web API-related C/C++ source code and examines how the resulting evidence can improve developers’ awareness of tool capabilities and limitations. The study evaluates six SATs: Flawfinder, RATS, Cppcheck, Clang-tidy, Semgrep, and CodeQL. The evaluation uses two complementary dataset types: nine real-world open-source GitHub projects associated with documented CVEs and seven synthetic SARD testcases from NIST. Across both dataset types, the tools were applied to vulnerable and patched versions of the selected cases in a Kali Linux environment. Tool outputs were compared against defined ground truth using true positives, false positives, and false negatives, and performance was assessed using Precision, Recall, and F1 Score. The findings show that tool effectiveness is not uniform across all vulnerability categories. Buffer Overflow was generally the most detectable vulnerability type, especially in the SARD testcases, whereas SQL Injection and XSS were more difficult for many tools to identify consistently, particularly in the GitHub projects. The results also reveal a clear difference between controlled synthetic cases and real-world software, showing that stronger performance on SARD testcases does not necessarily transfer to complex open-source projects. Among the evaluated tools, Clang-tidy showed the strongest overall performance across several cases, while CodeQL demonstrated important strengths in selected semantic and data-flow-dependent cases. This dissertation contributes an empirical comparison of six SATs across two dataset types and three vulnerability categories, revealing how tool performance changes across contexts and providing developers with practical guidance for more informed tool selection and interpretation in secure web API development.