Migrating from 42Crunch to Apigee

This guide outlines the practical steps and expected gaps when moving API security scanning from a specialized vendor to middleBrick. The objective is to preserve continuous monitoring, understand data differences, and align CI wiring while recognizing that middleBrick is a scanner, not an auditor or remediation platform.

Migrating historical scan data requires exporting records from the source platform and mapping them to middleBrick capabilities. Scan summaries, risk scores, and finding details can be imported manually via CSV or integrated programmatically using the middleBrick API client. Note that raw evidence such as exact request/response pairs may not be recreated if the source tool does not retain full payloads, and middleBrick does not store historical diffs prior to integration.

• Export scan reports and asset inventories from the source system.
• Map risk ratings and tags to middleBrick scores and custom tags.
• Use the API client to create or update assets and push normalized findings.
• Preserve timestamps externally if you require long-term audit trails.

Rebuilding exact scan history is not supported; treat the migration as a point-in-time snapshot and rely on ongoing monitoring for future tracking.

Preserving CI wiring involves replicating gate logic and notification paths. The middleBrick GitHub Action can fail builds based on a score threshold, similar to many CI plugins. You will need to recreate the job configuration and supply authentication via environment variables or a configuration file. For other CI systems, use the CLI or API client to invoke scans and parse JSON output to enforce policies.

middlebrick scan https://api.example.com --format json --output result.json

Email and Slack alert routing must be reconfigured in the middleBrick dashboard or via webhooks. If the source tool used custom headers or authentication schemes not supported by middleBrick, adjust the API calls or authentication flow accordingly. The dashboard allows per-API thresholds and scheduled rescans to approximate prior automation cadence.

middleBrick covers the OWASP API Top 10 (2023), maps findings to PCI-DSS 4.0, SOC 2 Type II controls, and related regulatory alignment where applicable. It performs black-box scanning using read-only methods and supports authentication via Bearer, API key, Basic auth, and cookies. Detection includes authentication bypass, IDOR, privilege escalation, input validation, rate limiting, data exposure, encryption issues, SSRF indicators, inventory issues, unsafe consumption patterns, and LLM/AI adversarial probes.

Compared to a specialized vendor, gaps may include deeper business logic testing, custom mutation payloads, or proprietary detection signatures. middleBrick does not perform active injection attacks, fix code, or replace human pentesters for high-stakes audits. Continuous monitoring and compliance reporting are available in Pro and Enterprise tiers, but organizations should validate that the tool’s detection set matches their specific API surface and risk appetite.

Plan for differences in scan scope and reporting formats. middleBrick only uses read-only methods and blocks destructive payloads, private IPs, localhost, and cloud metadata endpoints. Customer data can be deleted on demand and is never sold or used for model training. Authentication domains must be verified before credentials are accepted, and header forwarding is limited to allowlisted names.

When migrating CI pipelines, ensure that threshold values, scan frequency, and alert recipients are reconfigured. Use the API client to integrate findings into existing ticketing or SIEM systems if native integrations are not required. Regularly review the dashboard’s score trends and diff views to monitor improvements and regressions over time.