42Crunch for FedRAMP moderate prep

middleBrick is a black-box API security scanner designed to support security assessment workflows rather than serve as an audit authority. It maps findings to security controls described in FedRAMP moderate baselines through detection of common misconfigurations and data exposures relevant to those controls. The scanner operates without agents, SDKs, or code access, submitting read-only requests to surface observable runtime behaviors.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), many of which intersect with FedRAMP moderate controls, including authentication bypass, excessive data exposure, and input validation gaps. It also detects insecure transport, missing security headers, PII leakage such as emails and context-aware SSN patterns, exposed API key formats, and SSRF indicators. For authentication, it identifies JWT misconfigurations like alg=none, weak algorithms, expired tokens, and missing claims. For data exposure, it surfaces over-exposed fields, internal attributes, and sensitive patterns that can inform data protection controls.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime findings. This highlights discrepancies such as undefined security schemes, deprecated operations, missing pagination, and unexpected sensitive field exposure. The comparison supports audit evidence for control validation by documenting how declared behavior differs from observed responses, which is valuable when demonstrating due diligence for FedRAMP moderate preparation.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can submit credentials. The scanner forwards a limited header allowlist and uses read-only methods only, avoiding destructive payloads. Note that the tool detects and reports issues but does not fix, patch, block, or remediate; it provides guidance to assist internal teams in addressing findings.

The Web Dashboard centralizes scan results, score trends, and downloadable compliance PDFs, while the CLI and GitHub Action enable integration into CI/CD pipelines. The action can fail builds when scores drop below defined thresholds, providing early warnings during development. Continuous monitoring (Pro tier) supports scheduled rescans, diff detection across scans, and HMAC-SHA256 signed webhooks. For FedRAMP moderate workflows, these features help track posture over time and generate artifacts for review, though the tool does not replace human-led audits or penetration tests.