The increasing reliance of enterprise software supply chains on Representational State Transfer (REST) Application Programming Interfaces (APIs) has elevated API security from a niche concern to a foundational property of modern software production. Among the API-level weaknesses catalogued by the Open Worldwide Application Security Project, mass assignment and related broken object property level authorization faults remain disproportionately common in spite of more than a decade of warnings. They persist because the offending code is syntactically indistinguishable from safe code, because automatic binding is a default behaviour of the most widely deployed web frameworks, and because traditional security tooling treats source code analysis and runtime probing as separate concerns. This paper proposes a conceptual and operational direction for the next generation of security tooling: autonomous DevSecOps agents that combine static and dynamic API testing into a single, supply-chain-aware workflow. We outline the structural reasons API binding faults are missed by single-perspective analyzers, present a reference architecture for hybrid agents that builds a lightweight abstract syntax tree, evaluates it against a rule library, and confirms exploitability through schema-aware fuzzing of OpenAPI-described endpoints. We report empirical evaluation on three Java Spring Boot codebases representing deliberately vulnerable, tutorial-driven, and production-hardened conditions. The static stage recovered every planted vulnerability with no false negatives; the dynamic stage confirmed three of eight candidate endpoints as truly exploitable and filtered the remaining five, cutting the actionable high-severity backlog by 62.5 percent. We close with a research agenda situating hybrid agents within evolving paradigms of trustworthy DevSecOps, large-language-model assisted vulnerability reasoning, and software bill of materials governance.