Customer hand-off validation

Customer hand-off validation is the process of confirming that an API intended for external consumers behaves as expected under realistic conditions before it is released or promoted. This includes verifying that authentication mechanisms work, that responses do not disclose sensitive data, and that the API enforces proper authorization and rate limits. The goal is to reduce the risk of misconfiguration reaching production and to provide documented evidence of security posture for downstream teams and compliance activities.

Teams that skip hand-off validation often discover issues late, after integration tests or production incidents expose data leakage or broken access controls. Common errors include permissive CORS settings, missing or misconfigured security headers, over-exposed object properties, and unhandled error messages that reveal stack traces or internal paths. These gaps can lead to compliance audit findings, incident response activity, and rework late in the release cycle when fixes are more costly.

A robust workflow begins with a clear inventory of public and partner APIs, followed by automated scanning on a stable endpoint. Each scan should exercise authentication flows, verify security headers, inspect response payloads for sensitive data, and validate that rate limiting and pagination are present where applicable. Findings are triaged by severity and mapped to relevant frameworks to inform remediation tickets and evidence collection. Scans are repeated on a schedule and after any change to the API surface to detect drift.

• Define the API inventory and ownership.
• Run black-box scans covering authentication, input validation, and data exposure.
• Review findings against PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).
• Track score trends and issue remediation tickets.
• Automate scans in CI/CD and monitor with scheduled rescan intervals.

middleBrick is a self-service API security scanner that validates external-facing APIs without requiring code access or agents. Submit a URL and receive a risk score with prioritized findings aligned to OWASP API Top 10 (2023), including checks for authentication bypass, JWT misconfigurations, BOLA and BFLA, property over-exposure, CORS misconfigurations, rate-limiting headers, PII and API key leakage, and HTTPS/HSTS settings.

For LLM-facing APIs, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers to test for system prompt extraction, instruction override, jailbreak techniques, data exfiltration, and token smuggling. OpenAPI documents are parsed with recursive $ref resolution and compared against runtime behavior to identify undefined security schemes or deprecated operations.

Authenticated scanning supports Bearer, API key, Basic auth, and cookies, gated by domain verification to ensure only domain owners can scan with credentials. The tool enforces a strict allowlist of headers and read-only methods, blocking destructive payloads and private endpoints. Scan results feed the web dashboard for tracking, generate branded compliance PDFs, and can be integrated via CLI, GitHub Action, MCP Server, or a programmable API.

middleBrick focuses on detection and reporting rather than remediation. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities and blind SSRF are also out of scope, as they typically require domain knowledge and out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits.

Scan data is deletable on demand and purged within 30 days of cancellation. Customer data is never sold or used for model training. Pricing tiers range from free with limited scans to Enterprise with unlimited APIs, custom rules, SSO, and dedicated support. Email alerts are rate-limited, and webhooks use HMAC-SHA256 signing with auto-disable after repeated failures to prevent notification storms.