Apigee for SaaS

What middleBrick covers

Black-box scanning with read-only methods under one minute
Authentication testing for Bearer, API key, Basic, and Cookie
OWASP API Top 10 (2023) coverage and SOC 2/PCI-DSS alignment
OpenAPI 3.0/3.1/Swagger 2.0 parsing with $ref resolution
Continuous monitoring with diff detection and webhook alerts
CI/CD integration via GitHub Action and MCP server support

API Security Posture for SaaS Platforms

SaaS applications expose public endpoints that handle authentication, tenant isolation, and sensitive user data. A consistent security posture across APIs is essential to control access and limit exposure. middleBrick maps findings to OWASP API Top 10 (2023) and supports audit evidence for SOC 2 Type II and PCI-DSS 4.0 controls relevant to API authentication and data handling.

Black-Box Scanning Approach

middleBrick operates as a black-box scanner with no agents, SDKs, or code access. It sends read-only methods (GET and HEAD) and text-only POST for LLM probes, completing scans in under a minute. The tool checks authentication bypass, JWT misconfigurations such as alg=none or expired tokens, security headers, BOLA and IDOR via sequential ID enumeration, BFLA related to admin endpoint probing, over-exposed properties, input validation like CORS wildcard usage, rate-limit headers, data exposure including PII and API key formats, HTTPS and HSTS settings, SSRF indicators, inventory issues like missing versioning, and LLM security probes across three scan tiers.

Authenticated Scanning and Scope Control

Authenticated scanning is available from the Starter tier onward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach helps you prepare for compliance alignments while preserving clear scope boundaries.

OpenAPI Specification Analysis

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. The analysis surfaces findings relevant to API design reviews and supports audit evidence for internal governance frameworks.

Continuous Monitoring and Integrations

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection for new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after five consecutive failures. Integrations include a web dashboard, CLI via an npm package, GitHub Action CI/CD gates that fail builds below a score threshold, an MCP server for AI coding assistants, and a programmable API for custom workflows.

Frequently Asked Questions

Does this tool perform active SQL injection testing?

No. The scanner does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope.

Can it detect business logic vulnerabilities?

No. Business logic vulnerabilities require human expertise aligned to your domain; the tool focuses on configuration and implementation weaknesses.

What compliance mappings are provided?

Findings map to OWASP API Top 10 (2023), and the tool supports audit evidence for SOC 2 Type II and PCI-DSS 4.0 where relevant to API security.

Is customer data retained or used for model training?

No. Scan data is deletable on demand, purged within 30 days of cancellation, never sold, and never used for model training.