42Crunch for Customer hand-off validation

Customer hand-off validation confirms that an API meets security expectations before production deployment. The process requires evidence that authentication, authorization, and data exposure controls function as designed. middleBrick maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II to support audit evidence for these controls.

middleBrick is a black-box API security scanner that submits read-only methods (GET and HEAD) plus text-only POST for LLM probes. Submit a URL and receive a risk score from A to F with prioritized findings in under a minute. The scanner detects issues across authentication, BOLA, BFLA, property authorization, input validation, rate limiting, data exposure, encryption, SSRF, inventory management, unsafe consumption, and LLM/AI security. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning (Starter tier and above) supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a strict header allowlist containing Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach provides controlled, evidence-based validation of protected endpoints without exposing internal tooling.

Integration friction is low because the scanner operates without agents, SDKs, or code access. The CLI (middlebrick npm package) supports scripted runs with JSON or text output. The GitHub Action can gate CI/CD, failing the build when the score drops below a chosen threshold. The MCP Server enables scanning from AI coding assistants. Continuous monitoring (Pro tier) offers scheduled rescans, diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after 5 consecutive failures. Scan data is deletable on demand and purged within 30 days of cancellation.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, because they require domain context best handled by a human pentester. Blind SSRF is out of scope due to the lack of out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits and is aligned with security controls described in relevant frameworks rather than certifying compliance.