Alternatives to Lasso Security for Auditor-requested API inventory

When auditors request an API inventory, they seek a reliable mapping of in-scope endpoints, authentication mechanisms, and data flows. middleBrick is a black-box scanner designed to produce an initial, evidence-backed inventory without requiring code access or agents. The scanner resolves OpenAPI specifications, validates security schemes, and cross-references definitions against runtime behavior to surface undefined operations and security misconfigurations.

middleBrick maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls, providing detection aligned with recognized standards rather than claiming certification. The scanner covers authentication bypass, JWT misconfigurations such as alg=none and expired tokens, authorization flaws including BOLA and BFLA, and input validation issues like CORS misconfigurations and dangerous HTTP methods. It also detects data exposure patterns including PII, API key formats, error leakage, and encryption issues such as missing HSTS or insecure cookie flags.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, then correlates spec definitions against live behavior. This helps highlight discrepancies such as undefined security schemes, sensitive fields exposed in responses, deprecated operations, and missing pagination. The comparison supports audit evidence by documenting where the specification and implementation diverge, without attempting to fix or remediate the findings.

Authenticated scans in Starter and above support Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can submit credentials. The scanner uses a read-only methods policy, never sending destructive payloads, and blocks private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data can be deleted on demand and is never used for model training.

Results are available via Web Dashboard with score trends, branded compliance PDFs, and detailed finding views. The CLI supports JSON and text output for scripting, while the GitHub Action can gate CI/CD when scores drop below a threshold. Pro tier adds scheduled rescans, diff detection, email alerts, signed webhooks, and Slack or Teams notifications. The MCP Server enables scanning from AI coding assistants, and a programmatic API supports custom integrations.