Migrating from APIsec to Lasso Security

Try middleBrick free

What middleBrick covers

  • Black-box API scanning with no agents or SDK integration
  • Risk scoring A–F aligned to OWASP API Top 10
  • OpenAPI 3.0/3.1 and Swagger 2.0 parsing with ref resolution
  • Authenticated scanning with header allowlist and domain verification
  • CI/CD integration via CLI and GitHub Action
  • Continuous monitoring with diff detection and signed webhooks

Overview of migration considerations

Moving from a prior scanner to middleBrick involves comparing coverage, authentication models, and output formats. This guide focuses on data export, rebuilding scan workflows in CI, and known gaps so you can plan a low risk transition.

Exporting and normalizing existing scan data

Export findings from your current platform in its native format, then map fields to middleBrick equivalents. Typical mappings include severity to risk score, issue category to OWASP API Top 10 tags, and references to endpoint paths. Use the middleBrick CLI to validate normalized results before you rerun scans.

// Example: mapping a JSON finding to middleBrick output
const normalized = {
  source: "apisec",
  endpoint: "/users/{id}",
  method: "GET",
  category: "BOLA",
  severity: "high",
  description: "Unrestricted access to other users\u2019 resources",
  evidence: "Different ID returned 200 versus 404"
};

Rebuilding historical trend lines depends on consistent tagging; prefer mapping to OWASP API Top 10 categories and the three compliance frameworks supported by middleBrick.

Rebuilding CI/CD and automation pipelines

Recreate your gates using the middleBrick CLI and GitHub Action. The CLI supports JSON output for scripting, and the action fails the build when the score drops below your chosen threshold. Authentication follows the same patterns as header allowlists: Bearer, API key, Basic auth, and cookies, with domain verification required for credentialed scans.

# Example GitHub Action step
- name: MiddleBrick scan
  uses: middlebrick/action@v1
  with:
    url: https://api.example.com/openapi.json
    threshold: C
    output: json

Compare how your previous pipeline passed scan IDs versus how middleBrick tracks scans by URL and schedule. Update webhook consumers to expect HMAC-SHA256 signed payloads if you use continuous monitoring.

Known gaps and limitations

middleBrick does not perform active SQL injection or command injection testing, and it does not detect business logic vulnerabilities; these require domain specific human analysis. It also does not detect blind SSRF via out-of-band infrastructure, nor does it replace a full manual pentest for high-stakes audits.

If your prior tool performed intrusive exploitation or active injection checks, plan for complementary testing outside of automated scanning. Use the risk score and prioritized findings to triage manual effort rather than expecting one-to-one feature parity.

Compliance mapping and reporting

middleBrick maps findings directly to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II. For other frameworks, it helps you prepare for audits by surfacing findings relevant to controls described in HIPAA, GDPR, ISO 27001, NIST, CCPA, and similar regimes without asserting certification or compliance.

Use the dashboard to generate branded compliance PDFs and leverage the MCP Server to integrate scanning guidance into AI assisted development workflows. Continuous monitoring provides diff detection across scans so you can track remediation progress and score drift over time.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can I import my existing scan reports into middleBrick?
Yes. Export findings from your previous scanner, map fields such as severity and category, then validate normalized output with the CLI before rerunning scans.
Does middleBrick support authenticated scans in CI?
Yes. Provide Bearer, API key, Basic auth, or cookies along with domain verification. The GitHub Action supports these methods and fails builds based on score thresholds.
What compliance frameworks does middleBrick claim to support?
It maps findings directly to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II. For other frameworks it supports audit evidence preparation without certifying compliance.
Does the scanner perform active exploitation like SQL injection?
No. It focuses on detection and reporting with remediation guidance. Intrusive exploitation and blind SSRF testing are outside scope and require manual testing.
How are scan results stored and retained?
Customer data is deletable on demand and purged within 30 days of cancellation. It is not sold and is not used for model training.

Related Pages

Migrate from Detectify to middleBrickWhat changes when you move from Detectify to middleBrick, and how to not lose anything in transit.Migrate from Noname Security to middleBrickWhat changes when you move from Noname Security to middleBrick, and how to not lose anything in transit.Migrate from Salt Security to middleBrickWhat changes when you move from Salt Security to middleBrick, and how to not lose anything in transit.Nuclei vs Salt SecurityNeutral side-by-side comparison of Nuclei and Salt Security.OWASP ZAP vs Prompt SecurityNeutral side-by-side comparison of OWASP ZAP and Prompt Security.42Crunch vs Lasso SecurityNeutral side-by-side comparison of 42Crunch and Lasso Security.