DORA ICT risk evidence

DORA focuses on ICT risk management for entities that provide digital services. Evidence includes incident logs, test results, configuration states, and audit artifacts that demonstrate control effectiveness. Teams that skip structured evidence collection struggle with audit readiness and cannot reliably link findings to specific control objectives. middleBrick generates scanner output that supplies concrete artifacts aligned to DORA expectations, including risk ratings and detection summaries for each assessed API.

Without continuous evidence collection, organizations rely on stale documentation and anecdotal assurances. Common gaps are unknown API sprawl, missing versioning, inconsistent authentication configurations, and undocumented data exposure surfaces. These gaps increase the likelihood of control failures during audits and make it difficult to demonstrate due diligence. The scanner maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023) to provide traceable evidence that supports audit activities.

Start with an inventory of public-facing APIs and require domain verification before authenticated scans. Run black-box scans for each API surface, prioritizing authentication bypass, authorization flaws, input validation, and data exposure. Export structured reports and store them alongside change records to form an evidence timeline. Use the diff tracking in continuous monitoring to highlight new findings and resolved items, and integrate scans into CI/CD with the GitHub Action to enforce risk thresholds before deployment.

middleBrick is a self-service API security scanner that submits a URL and returns a risk score with prioritized findings. It performs read-only checks using GET and HEAD methods and text-only POST for LLM probes, completing scans in under a minute. Detection coverage includes authentication misconfigurations, BOLA and BFLA, property authorization leaks, input validation issues, rate-limiting characteristics, data exposure patterns, encryption misconfigurations, SSRF indicators, inventory deficiencies, unsafe consumption surfaces, and LLM security probes across multiple tiers. OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution and compared against runtime behavior.

Authenticated scans with Bearer tokens, API keys, Basic auth, and cookies require domain verification via DNS TXT record or HTTP well-known file to ensure only the domain owner can submit credentials. A restricted header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach limits noise and keeps evidence focused on security-relevant configurations while supporting compliance activities related to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

Results are presented in a web dashboard with score trends, downloadable compliance PDFs, and branded report formats. The Pro tier adds scheduled rescans, diff detection, email alerts, and signed webhooks for automated workflows. The CLI provides JSON and text output for scripting, and the MCP Server enables scanning from AI coding assistants. Because the scanner detects and reports rather than fixes or blocks, it supplies audit teams with consistent, reproducible evidence that aligns with described security controls without claiming certification.