42Crunch for DORA ICT risk evidence

DORA focuses on ICT risk management for entities providing or supporting digital services. The scope centers on identifying and controlling technology-related risks that can disrupt service continuity. middleBrick maps findings to OWASP API Top 10 (2023) and supports audit evidence for DORA by surfacing weaknesses in API endpoints that could lead to service disruptions or data leaks.

As a self-service API security scanner, middleBrick operates as a black-box solution. You submit a URL and receive a risk score from A to F with prioritized findings. The scanner uses read-only methods such as GET and HEAD, and text-only POST for LLM probes, completing a scan in under a minute. This approach requires no agents, no code access, and no SDK integration, making it applicable to any language, framework, or cloud environment without introducing runtime changes.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), including authentication bypass, BOLA and BFLA, property authorization over-exposure, input validation issues, rate limiting, data exposure, encryption misconfigurations, SSRF, inventory management, unsafe consumption, and LLM/AI security. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime findings to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. These capabilities help you prepare for compliance requirements described in SOC 2 Type II and PCI-DSS 4.0 by highlighting relevant control gaps.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification via DNS TXT record or HTTP well-known file ensures only domain owners can scan with credentials, and a strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*. Continuous monitoring options on Pro and Enterprise tiers include scheduled rescans, diff detection, email alerts, HMAC-SHA256 signed webhooks, and deletable data purged within 30 days of cancellation. The scanner does not perform intrusive tests such as active SQL injection or command injection, and it does not detect business logic vulnerabilities, blind SSRF, or provide remediation fixes.

The platform provides multiple integration paths for teams embedding API security into DORA ICT risk workflows. The web dashboard centralizes scans, report viewing, score trends, and branded compliance PDFs. The CLI supports on-demand scans with JSON or text output, and the GitHub Action can gate CI/CD pipelines based on score thresholds. An MCP server enables scanning from AI coding assistants, while a programmable API supports custom integrations. These tools help you align with security controls described in DORA without replacing human expertise for complex risk assessments.