Apigee for Education

What middleBrick covers

Black-box scanning with no agents or SDK integrations
Detection of OWASP API Top 10 (2023) misconfigurations
OpenAPI 3.0/3.1 and Swagger 2.0 parsing with $ref resolution
Authenticated scans for Bearer, API key, Basic, and Cookie
Continuous monitoring with diff detection and alerts
CI/CD integration via GitHub Action and CLI

API Security Posture for Education

Education environments expose course data, enrollment records, and research outputs through APIs. middleBrick maps findings to OWASP API Top 10 (2023) and supports audit evidence for SOC 2 Type II and PCI-DSS 4.0 when APIs handle payment or cardholder data. The scanner reviews API definitions and runtime behavior to highlight authentication gaps, data exposure risks, and authorization issues common across student information systems and learning platforms.

Black-Box Scanning Approach

middleBrick operates as a black-box scanner with no agents, SDKs, or code access. It sends read-only methods (GET and HEAD) plus text-only POST for LLM probes against any endpoint, independent of language, framework, or cloud provider. Scan completion typically occurs in under a minute, and sensitive endpoints are protected by a domain verification gate that requires control over DNS TXT records or an HTTP well-known file to prove ownership before authenticated scans proceed.

Detection Coverage and Compliance Alignment

The tool detects issues across 12 categories aligned to OWASP API Top 10 (2023), including Authentication bypass, BOLA and IDOR, BFLA and privilege escalation, and Data Exposure such as PII and API key patterns. Findings can help you prepare for compliance with PCI-DSS 4.0 and SOC 2 Type II by surfacing misconfigurations and undefined security schemes in OpenAPI 3.0, 3.1, and Swagger 2.0 specifications through recursive $ref resolution and cross-reference against runtime behavior.

Authenticated Scanning and Safety Controls

Authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies after domain verification. Only a limited set of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety controls include blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and read-only methods ensure no destructive payloads are sent. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

Continuous Monitoring and Integration

Pro tier features scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved findings, and score drift. Alerts include email notifications rate-limited to 1 per hour per API and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Integrations such as the CLI, GitHub Action, and MCP Server allow CI/CD gates and ongoing tracking without requiring code access or SDKs.

Frequently Asked Questions

Does middleBrick perform active exploitation like SQL injection?

No. The scanner uses read-only methods and does not execute intrusive payloads such as active SQL injection or command injection.

Can it validate controls for HIPAA or GDPR?

It aligns with security controls described in HIPAA and GDPR to help you prepare for audits, but it does not certify compliance.

How are OpenAPI specs analyzed?

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0, resolves recursive $ref references, and cross-references definitions against runtime findings to identify undefined security schemes or deprecated operations.

What happens if a scan fails the build in CI?

The GitHub Action can fail the build when the API score drops below a configured threshold, enabling automated quality gates for critical APIs.