Veracode review

middleBrick is a self-service API security scanner designed for teams that need a lightweight, infrastructure-agnostic assessment of their public-facing endpoints. You submit a URL and receive a risk score ranging from A to F along with prioritized findings. The scanner operates in black-box mode, requiring no agents, code access, or SDK integration, and supports any language, framework, or cloud environment. Scan completion typically occurs in under a minute, using read-only methods such as GET and HEAD, with text-only POST support for LLM probes.

The scanner evaluates 12 security categories aligned with the OWASP API Top 10 (2023), including Authentication bypass and JWT misconfigurations, Broken Object Level Authorization (BOLA/IDOR), Broken Function Level Authorization (BFLA) and privilege escalation, Property Authorization over-exposure, Input Validation issues such as CORS wildcard usage and dangerous HTTP methods, Rate Limiting and Resource Consumption anomalies, Data Exposure including PII patterns and API key formats, Encryption misconfigurations, SSRF indicators, Inventory Management deficiencies, Unsafe Consumption surfaces, and LLM/AI Security adversarial probes. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 specifications with recursive $ref resolution and cross-references spec definitions against runtime observations to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning, available from the Starter tier upward, supports Bearer tokens, API keys, Basic authentication, and Cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner respects a strict header allowlist, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), and it can help you prepare for or align with security controls described in other regulatory frameworks.

The platform provides a Web Dashboard for scanning, report review, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. An MCP Server allows scanning from AI coding assistants, and a programmable API supports custom integrations. Continuous monitoring in the Pro tier includes scheduled rescans, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

middleBrick is a scanning tool and does not fix, patch, block, or remediate issues; it provides detection and remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require domain-specific human analysis. Blind SSRF is out of scope due to the absence of out-of-band infrastructure, and the tool does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and allowing customer data deletion on demand within 30 days of cancellation without retention for model training.