ISO 27001 API control evidence

ISO 27001 requires demonstrated controls over information security, including access control, encryption, and monitoring. For APIs, this means evidence that authentication is validated, data exposure is limited, and operations are auditable. Teams often mistake policy documents for controls, producing checklists without runtime proof. middleBrick maps findings directly to security controls, providing artifacts you can reference during audits.

Without a repeatable scanning workflow, teams rely on manual testing or informal reviews, which miss inconsistent configurations and drift between releases. Common gaps include weak authentication setups, over-exposed data fields, missing encryption enforcement, and unchecked integrations that increase the attack surface. These gaps weaken audit readiness and increase the likelihood of control failures during assessments aligned with security frameworks such as PCI-DSS 4.0 and SOC 2 Type II.

Integrate scanning into design review, pre-release, and periodic reassessment stages. Start with asset inventory and versioned API definitions such as OpenAPI 3.0, 3.1, or Swagger 2.0, with recursive $ref resolution validated against runtime behavior. Run black-box scans to detect authentication misconfigurations, IDOR, data exposure, and encryption issues, then compare findings against defined security baselines. Track score trends, store signed artifacts for audits, and use automated gates in CI/CD to block merges when risk thresholds are exceeded.

middlebrick scan https://api.example.com/openapi.json --output json

Authenticated scans with Bearer, API key, Basic auth, or Cookie can be enabled for environments behind access controls, provided domain verification is completed. Restrict forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* to limit credential exposure.

The scanner operates as a read-only black-box tool, submitting GET and HEAD requests plus text-only POST for LLM probes. It detects issues across 12 categories aligned to OWASP API Top 10 (2023) that support audit evidence for common ISO 27001 controls. Out-of-scope methods and destructive payloads are never used. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data can be deleted on demand and is never used for model training.

• Authentication and session management, including JWT misconfigurations and security headers
• Broken Object Level Authorization and excessive property exposure
• Input validation, CORS misconfigurations, and dangerous HTTP methods
• Rate limiting, oversized responses, and error leakage
• Data exposure indicators such as PII patterns and API key formats
• Encryption enforcement, HSTS, and cookie attributes

middleBrick is a scanning tool and does not fix, patch, or remediate findings. It does not perform active SQL injection or command injection testing, detect business logic flaws, or provide blind SSRF validation. It surfaces findings relevant to security frameworks and helps you prepare for audits, but it cannot certify compliance or replace human review for high-stakes assessments. Use the output as evidence to guide remediation and to inform risk-based decisions.