Migrating from 42Crunch to OWASP ZAP

Try middleBrick free

What middleBrick covers

  • Black-box scanning with no agents or SDK dependencies
  • 12 OWASP API Top 10 (2023) detection categories
  • OpenAPI 3.0/3.1 and Swagger 2.0 parsing with $ref resolution
  • Authenticated scans with header allowlist and domain verification
  • CI/CD integration via CLI, GitHub Action, and MCP server
  • Continuous monitoring with diff detection and HMAC-SHA256 webhooks

Purpose and scope of migration

This guide outlines how to move from a vendor-specific scanner to an API security scanner that operates without agents or code access. The focus is on preserving scan coverage, CI/CD wiring, and compliance mappings while understanding the differences in methodology and findings.

Data export and scan history

Export findings, test targets, and metadata from the source platform using its reporting or API features. Fields to retain include endpoint paths, parameters, HTTP methods, severity levels, and any custom tags. Scan history must be maintained externally as historical runs are not reimported by the new scanner.

  • Capture JSON or CSV exports of each project.
  • Map finding IDs to a stable reference such as endpoint + method + parameter.
  • Keep timestamps and scanner versions for audit trails.

Without agent integration, the new tool cannot retroactively link to prior runs; treat prior reports as point-in-time evidence.

CI/CD and automation continuity

Recreate your gates using the new scanner’s CLI and webhooks. The CLI supports JSON output for easy parsing in pipeline scripts. Configure quality gates as score thresholds or specific findings to fail builds. If the previous system used custom headers or authenticated scans, replicate those settings via environment variables or secure vault references.

middlebrick scan https://api.example.com --format json --output findings.json

For GitHub Actions, replace the old action step with the new integration and adjust thresholds to match risk tolerance. Ensure domain verification is completed for authenticated scans so credentials are only accepted from the correct owner.

Finding and category mapping

Compare the old taxonomy to the new scanner’s categories aligned to OWASP API Top 10 (2023) and PCI-DSS 4.0. Map similar controls such as authentication bypass, excessive data exposure, and injection surface indicators. Note that the new tool performs black-box checks only and does not execute intrusive payloads, so findings requiring active exploitation will not be reproduced.

  • Authentication and security headers map directly to OWASP categories.
  • BOLA and IDOR findings correlate with insecure direct object references.
  • Rate limiting and oversized response checks align with resource consumption controls.

Any gaps due to methodology differences should be documented as accepted risk.

Known gaps and operational limits

Understand what changes when switching tools. The new scanner does not perform active SQL injection or command injection tests, nor does it detect blind SSRF via out-of-band channels. Business logic vulnerabilities and certain advanced client-side issues require manual review. Scheduled rescans and diff reporting help track drift, but they do not replace human analysis for complex logic flaws.

  • No automatic fixes or patching are provided; the tool reports and suggests remediation.
  • Authenticated scanning requires domain ownership verification via DNS or file token.
  • Scan scope is limited to read-only methods unless explicitly configured for text-only POST probes.

Use this assessment to decide where supplemental testing or a human pentest is still needed.

Compliance mapping and reporting

The new platform maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Reports include risk scores, prioritized findings, and remediation guidance. You can generate branded compliance PDFs and signed webhooks for integration with ticketing or SIEM systems. For frameworks outside this set, the tool helps you prepare for audits by surfacing findings relevant to security controls without claiming certification or compliance guarantees.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can I automatically recreate exact historical findings?
No. Historical runs are not reimported; treat prior reports as standalone evidence and focus on current coverage.
Does the scanner perform active injection tests like SQLi?
No. It is limited to read-only methods and text-only POST probes; intrusive payloads are out of scope.
How are authenticated scans validated?
Domain verification via DNS TXT record or HTTP well-known file ensures only the domain owner can submit credentials.
What compliance claims does the tool support?
It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It does not certify compliance with HIPAA, GDPR, ISO 27001, or other regulations.
Can I integrate the scanner into my existing CI pipeline?
Yes. Use the CLI with JSON output and configure quality gates; the GitHub Action supports CI/CD gating and Slack/Teams alerts.

Related Pages

Migrate from Detectify to middleBrickWhat changes when you move from Detectify to middleBrick, and how to not lose anything in transit.Migrate from Noname Security to middleBrickWhat changes when you move from Noname Security to middleBrick, and how to not lose anything in transit.Migrate from Salt Security to middleBrickWhat changes when you move from Salt Security to middleBrick, and how to not lose anything in transit.Nuclei vs Salt SecurityNeutral side-by-side comparison of Nuclei and Salt Security.OWASP ZAP vs Prompt SecurityNeutral side-by-side comparison of OWASP ZAP and Prompt Security.42Crunch vs Lasso SecurityNeutral side-by-side comparison of 42Crunch and Lasso Security.