Apigee for Enterprise organizations

Apigee serves enterprise organizations as an API management layer and is often paired with security gateways and developer portals. From a security review standpoint, middleBrick operates as a black-box scanner that assesses runtime behavior without requiring code access or agents. In under a minute it returns a risk score on an A to F scale and a prioritized list of findings aligned to the OWASP API Top 10 (2023), enabling teams to compare current posture against common industry benchmarks.

middleBrick scans for 12 security categories and maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection capabilities include authentication bypasses and JWT misconfigurations such as alg=none, weak key assumptions, and expired tokens; authorization flaws like BOLA and BFLA; over-exposed properties and mass-assignment surfaces; CORS wildcards and dangerous HTTP methods; rate-limit indicators and oversized responses; PII and sensitive data patterns including Luhn-validated card numbers and API key formats; HTTPS and HSTS misconfigurations; SSRF indicators involving internal IP probing; inventory issues such as missing versioning; unsafe consumption surfaces including webhook callbacks; and LLM/AI security probes spanning system prompt extraction, instruction override, and token smuggling.

With Starter tier and above, authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, a domain verification gate confirms ownership via DNS TXT record or an HTTP well-known file, ensuring only the domain owner can submit authenticated scans. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, to minimize credential exposure while validating backend behavior.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references the spec definitions against runtime observations to highlight undefined security schemes, unexpected sensitive fields, deprecated operations, and missing pagination. This helps teams identify deviations between documented contracts and actual runtime behavior without requiring access to source code or internal repositories.

Pro tier enables scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection to surface new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API and can be delivered via HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. The platform integrates into existing workflows through a web dashboard for report viewing and trend tracking, a CLI via the middlebrick npm package with JSON or text output, a GitHub Action that can fail builds when scores drop below a threshold, an MCP server for AI coding assistants, and a programmable API for custom integrations.

middleBrick is a read-only scanner that does not modify, patch, or block systems. Destructive payloads are never sent, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training. The tool does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities that require domain understanding, does not identify blind SSRF without out-of-band infrastructure, and does not replace a human pentester for high-stakes audits. It surfaces findings relevant to compliance evidence and helps you prepare for audits, but it is not an auditor and cannot certify compliance.