Alternatives to Apigee in SaaS

API security for SaaS requires a scanner that operates without dependencies on language or runtime. This approach analyzes live endpoints using read-only methods and text-only POST probes. The scanner returns a risk score and prioritized findings within one minute, enabling teams to validate security before deployment.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0 and SOC 2 Type II where relevant controls are exercised. Detection capabilities include:

• Authentication issues such as JWT misconfigurations, alg=none, and missing claims.
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation through admin endpoint probing.
• Property authorization over-exposure and internal field leakage.
• Input validation checks for CORS wildcard usage and dangerous HTTP methods.
• Rate limiting detection via response headers and oversized responses.
• Data exposure patterns including emails, Luhn-validated card numbers, and API key formats.
• Encryption misconfigurations such as missing HSTS and mixed content.
• SSRF indicators like URL-accepting parameters and internal IP probing.
• Inventory issues including missing versioning and legacy paths.
• Unsafe consumption surfaces through excessive third-party URLs and webhooks.
• LLM security with adversarial probes for jailbreak, data exfiltration, and token smuggling.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references the spec against runtime behavior to identify undefined security schemes, deprecated operations, and missing pagination. Authenticated scanning supports Bearer, API key, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or HTTP well-known files, ensuring only domain owners can submit credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

middlebrick scan https://api.example.com/openapi.json --auth-type bearer --auth-token "<token>"

Products include a web dashboard for managing scans and viewing score trends, a CLI for local execution, and a GitHub Action that can fail builds based on score thresholds. An MCP server enables scanning from AI coding assistants. The Pro tier adds scheduled rescans, diff detection, email alerts, and signed webhooks. Enterprise tiers support custom rules, SSO, and audit logs. Scan data is deletable on demand and retained only as long as needed.

The scanner does not fix, patch, or block findings; it reports with remediation guidance. Active SQL injection and command injection tests are outside scope due to the read-only design. Business logic vulnerabilities require domain expertise and are not detected. Blind SSRF and certain infrastructure issues are not evaluated. The tool does not replace a human pentester for high-stakes audits.