42Crunch for GDPR Article 32 alignment

middleBrick is a black-box API security scanner that submits read-only requests to an endpoint and returns a risk score with prioritized findings. The tool maps findings to security controls described in GDPR Article 32 and supports audit evidence for data protection assessments by surfacing technical weaknesses related to confidentiality and integrity.

Because GDPR Article 32 emphasizes resilience and confidentiality, the scanner focuses on findings that directly affect personal data protection. Detection categories include authentication bypass, data exposure of PII and sensitive data patterns, insecure transport such as missing HTTPS redirects and HSTS, and input validation issues like CORS wildcard usage. The scanner also probes SSRF indicators and unsafe third-party consumption surfaces that can lead to unauthorized data access.

• Authentication issues including JWT misconfigurations and missing security headers.
• Data exposure through error leakage, PII patterns, and exposed API keys.
• Transport weaknesses such as lack of redirects to HTTPS and missing HSTS.
• Input validation gaps including dangerous methods and CORS misconfigurations.
• SSRF indicators and unsafe consumption of external endpoints.
• LLM security probes relevant to confidentiality of model and data interfaces.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution and cross-references spec definitions against runtime behavior. This helps identify undefined security schemes, deprecated operations, missing pagination, and over-exposed fields that can increase data exposure risk. While this supports review of technical safeguards aligned with GDPR Article 32, it does not replace a data protection impact assessment conducted by a qualified officer.

With Starter tier and above, authenticated scanning using Bearer tokens, API keys, Basic auth, or cookies is available. Domain verification through DNS TXT records or HTTP well-known files ensures that only domain owners can scan with credentials. The scanner uses a restricted header allowlist and read-only methods, avoiding any modification of data. Note that the tool detects weaknesses in access control configurations but does not remediate them or replace a formal access control review required for GDPR compliance.

Scans complete in under a minute and are read-only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. The tool provides continuous monitoring options, scheduled rescans, and diff detection to track score trends over time. It does not perform intrusive injection tests, active SQL injection, command injection, or detect business logic flaws, and it should not replace a human pentester for high-stakes audits. Findings include remediation guidance but the tool does not fix, patch, or block issues.