Apigee for Healthcare

Healthcare APIs handle protected health information and are subject to strict regulatory expectations. This scanner evaluates the external API surface using read-only methods to map risks aligned with industry frameworks without executing intrusive tests. Each scan produces a risk grade and prioritized findings to help you understand exposure relevant to data sensitivity in healthcare contexts.

Findings map directly to controls in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The scanner surfaces findings relevant to audit evidence for frameworks such as HIPAA and supports preparation for regulations including GDPR, helping you align security controls with applicable standards.

• Authentication issues such as JWT misconfigurations and security header problems.
• Broken Object Level Authorization and excessive data exposure patterns.
• Input validation gaps including CORS misconfigurations and dangerous HTTP methods.
• Data exposure indicators like PII patterns and API key leakage.
• SSRF probes targeting URL-accepting parameters without executing active exploits.

Black-box scanning completes in under a minute using read-only methods (GET and HEAD) plus text-only POST for LLM probes. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. The tool does not fix, patch, or remediate issues and does not perform active SQL injection or command injection testing. Business logic vulnerabilities and blind SSRF requiring out-of-band infrastructure are out of scope.

OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes or deprecated operations.

Authenticated scanning is available in Starter tier and above for Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced via DNS TXT record or an HTTP well-known file so that only domain owners can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers to reduce unintended data exposure.

curl -X POST https://scanner.middlebrick.example/start \
  -H "Content-Type: application/json" \
  -d '{
        "url": "https://api.hospital.example.com/openapi.json",
        "auth": {
          "type": "bearer",
          "token": "***"
        }
      }'

The Web Dashboard centralizes scans, report views, score trends, and branded compliance PDFs. The CLI supports single scans with JSON or text output, and the GitHub Action can gate CI/CD when scores drop below a defined threshold. The MCP Server enables scanning from AI coding assistants.

Pro tier adds scheduled rescans (6 hours to monthly), diff detection for new and resolved findings, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after 5 consecutive failures. Data is deletable on demand and purged within 30 days of cancellation, and scan data is never sold or used for model training.