Apigee as a API security dashboard

An API security dashboard serves as a centralized view of risk across an API portfolio, showing where issues exist, how severe they are, and how they change over time. It should surface findings mapped to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II so that teams can prioritize remediation work. middleBrick provides a risk score from A to F and a prioritized list of findings, enabling teams to focus on the most exploitable paths first.

middleBrick is a self-service scanner that requires no agents, SDKs, or code access. It performs black-box testing using only read-only methods such as GET and HEAD, with text-only POST for LLM probes, and completes scans in under a minute. Because it does not modify systems, it avoids the operational risk associated with more intrusive testing. The dashboard aggregates results from multiple scans and shows score trends, helping teams understand whether security posture is improving or degrading.

The scanner evaluates 12 security categories aligned to OWASP API Top 10 (2023) and related compliance evidence. Key checks include authentication bypass and JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation through role/permission field leakage, and data exposure risks like PII patterns and API key formats. It also detects CORS wildcard misconfigurations, dangerous HTTP methods, rate-limit header issues, SSRF indicators in URL-accepting parameters, and server fingerprinting via inventory mismanagement.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 files with recursive $ref resolution. It cross-references the spec against runtime behavior to highlight undefined security schemes, sensitive fields exposed by endpoints, deprecated operations, and missing pagination. This comparison helps teams identify discrepancies between intended design and actual behavior, supporting audit evidence for SOC 2 Type II and PCI-DSS 4.0 without claiming certification.

Authenticated scanning is available in Starter and higher tiers, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can scan with credentials. The scanner uses a strict header allowlist that includes only Authorization, X-API-Key, Cookie, and X-Custom-* headers. All scanning is read-only, with destructive payloads never sent and private IPs, localhost, and cloud metadata endpoints blocked at multiple layers.

The Web Dashboard provides scan management, score trends, and branded compliance PDFs. The CLI enables commands such as middlebrick scan <url>, with JSON or text output, and the GitHub Action can fail builds when scores drop below a threshold. The MCP Server allows scanning from AI coding assistants. Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts at rate-limited intervals, HMAC-SHA256 signed webhooks, and compliance reporting. These capabilities help you prepare for audits and maintain ongoing visibility without overstating guarantees.