Migrate from APIsec to Bright Security

Migrating from APIsec to Bright Security

What middleBrick covers

Black-box scanning with no agents or SDK dependencies
Under-one-minute scan time for rapid feedback
Read-only methods to ensure safe testing
Detection of OWASP API Top 10 categories
OpenAPI spec parsing and cross-reference validation
CI/CD integration with configurable score gates

Overview of migration considerations

This guide focuses on practical steps when moving an existing API security program from another scanner to middleBrick. The emphasis is on data export, rebuilding CI workflows, and understanding functional gaps. middleBrick is a scanner, not an auditor, and does not replace the need for human review or formal compliance assessments.

Data export and scan history

Export scan results and configuration from your current platform in a structured format such as JSON or CSV. If the source tool provides per-API risk findings, map each API endpoint to its corresponding URL in middleBrick. Scan histories are not automatically transferred; you will rebuild tracking by re-running scans against the same endpoints and storing reports in the middleBrick Web Dashboard or an external system. Consider scripting repeated scans to preserve trend data across the migration.

Rebuilding CI/CD and automation wiring

Recreate your CI gates using the middleBrick CLI or API. In GitHub Actions, replace previous plugin steps with the official GitHub Action, ensuring the job fails when the score drops below your chosen threshold. Example workflow snippet:

jobs: security:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - name: MiddleBrick Scan
      uses: middlebrick/action@v1
      with:
        url: 'https://api.example.com/openapi.json'
        threshold: 'C'
        output: 'json'

For other CI systems, use the CLI with middlebrick scan <url> and parse JSON output to fail builds as needed. Note that scan scheduling must be reconfigured in the middleBrick dashboard or via cron-driven CLI calls.

Known functional gaps to anticipate

middleBrick does not perform active SQL injection or command injection testing, nor does it detect business logic vulnerabilities. It does not replace a human pentester for high-stakes audits. If your previous tool included network-level or intrusive payload testing, you will need separate coverage for those areas. Plan for manual validation of logic flaws and complementary security testing where appropriate.

Mapping compliance and reporting needs

middleBrick maps findings to OWASP API Top 10 (2023) and can help prepare evidence for SOC 2 Type II and PCI-DSS 4.0. For frameworks outside this scope, such as ISO 27001 or GDPR, the tool supports audit evidence collection through findings and reports but does not provide certification or guarantees. Use the dashboard to generate branded compliance PDFs and configure email or webhook alerts to integrate findings into existing governance processes.

Frequently Asked Questions

Can I import my old scan reports into middleBrick?

You cannot directly import scan reports, but you can export endpoint lists and re-run scans with the same parameters to rebuild findings and score trends.

Will migrating preserve my CI/CD failure thresholds?

You will need to recreate thresholds in the middleBrick dashboard or CI configuration. The CLI and GitHub Action support the same threshold-based failure modes.

Does middleBrick support authenticated scans for my APIs?

Yes, authenticated scanning is supported with Bearer tokens, API keys, Basic auth, and cookies. Domain verification is required for credentials to ensure only the domain owner can scan.

How are compliance mappings handled during migration?

middleBrick maps findings to OWASP API Top 10 and can help prepare evidence for SOC 2 Type II and PCI-DSS 4.0. Other frameworks are supported as alignment aids only.

What happens to scan data when I cancel my subscription?

Customer data is deletable on demand and purged within 30 days of cancellation. It is never sold or used for model training.