Add Prerequisite/ TECH about Detecting Sensitive Data in SAST

[cpholguera]

We should have a general section that explains how sensitive data is 'used' in SAST.

There's two general solutions: search for sink APIs and figure out if sensitive data goes into them, or define sources (sensitive data) and see where they flow. I would think these static checks just focus on sinks?

Originally posted by @TheDauntless in #3289 (comment)