Migrating from 42Crunch to middleBrick for DevSecOps-owned API security

Migrating from 42Crunch to middleBrick shifts your approach to a developer owned workflow that does not require privileged build environments or special runtime permissions. middleBrick is a self-service API security scanner that you trigger with a URL and receive a risk score from A to F along with prioritized findings. Because it operates as a black-box scanner, it does not need agents, SDKs, or access to your source code, and it supports any language, framework, or cloud stack. Scan duration remains under a minute, using read-only methods such as GET and HEAD, with text-only POST for LLM probes. This model fits naturally into DevSecOps pipelines where the goal is fast, repeatable security checks without handing scanners elevated system access.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023), including Authentication bypass and JWT misconfigurations such as alg=none, HS256, expired or missing claims, and sensitive data in token payloads. It checks for BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA through admin endpoint probing and role or permission field leakage. Additional coverage includes Property Authorization over-exposure, Input Validation issues like CORS wildcard usage and dangerous HTTP methods, Rate Limiting and Resource Consumption detection via headers and oversized responses, and Data Exposure patterns such as emails, Luhn-validated card numbers, SSN-like strings, API key formats, and error or stack-trace leakage. The scanner also assesses Encryption misconfigurations, SSRF risks in URL-accepting parameters, Inventory Management weaknesses, Unsafe Consumption surfaces, and LLM / AI Security through 18 adversarial probes across Quick, Standard, and Deep tiers. For design-time analysis, it parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime behavior. These findings map directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the output helps you prepare for audit evidence and aligns with security controls described in relevant frameworks, without claiming certification or guarantees.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and Cookies. To prevent unauthorized scans, a domain verification gate is enforced using either a DNS TXT record or an HTTP well-known file, ensuring that only the domain owner can submit credentials. When credentials are provided, the scanner limits forwarded headers to an allowlist that includes Authorization, X-API-Key, Cookie, and X-Custom-* headers. This controlled approach integrates authentication checks into DevSecOps workflows while preserving strict boundaries on what the scanner can exercise.

The product offers multiple consumption models to fit different stages of your workflow. The Web Dashboard centralizes scans, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output for scripting. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. An MCP Server enables scanning from AI coding assistants such as Claude or Cursor. For ongoing risk management, the Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans to highlight new or resolved findings and score drift, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Enterprise tiers provide unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

The scanner follows a strict read-only methodology and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers to prevent accidental impact on internal resources. Customer data can be deleted on demand and is purged within 30 days of cancellation; it is never sold or used for model training. It is important to understand what the scanner does not do: it does not fix, patch, block, or remediate issues, nor does it perform active SQL injection or command injection testing, which require intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits. These limitations are documented explicitly to set accurate expectations for security teams integrating the tool into their workflows.