Authentication and session
Login, password handling, session lifecycle, MFA, OAuth, SSO, magic links, password reset. The most frequently broken part of every web stack.
code review · 09
Source code review by engineers who wrote your stack.
Manual security review of your source code. We read the auth path, the crypto layer, the data-handling code, and the integrations. Findings come with line numbers and pull-request-ready fix suggestions.
01. in scope
What's in scope.
Areas we focus on.
Authorization (server-side)
Per-route checks, per-record checks, IDOR risk, broken object-level authorization, role-based vs attribute-based, multi-tenant data isolation.
Crypto and data protection
Key management, encryption at rest and in transit, password hashing, token signing, JWT verification, secrets in code or logs.
Input handling
SQL injection, command injection, deserialization, file uploads, path traversal, XXE. Across every entry point and protocol.
Integrations and webhooks
Webhook signature verification, third-party API trust, SSO assertion handling, OAuth callback validation. Common source of trust-boundary mistakes.
Dependency surface
High-risk dependencies, abandoned packages, transitive-trust risk, supply-chain risk. Triaged for actual exploitability, not just CVE noise.
02. how we work
How we work on it.
How a code review runs.
- Scoping call60 minutes. Repo overview, stack overview, what worries you most, what to prioritize.
- Read-only accessLimited-access GitHub or GitLab account, or an export of the relevant directories. NDA in place.
- Manual reviewTwo to four weeks depending on codebase size. We read the code. We do not just run scanners.
- Findings draftEach finding pinned to file and line. Severity, exploit path, suggested fix, sometimes a draft PR.
- Walkthrough callWe sit with your engineers to walk every finding, answer questions, and prioritize the fix order.
03. deliverables
What you walk away with.
Deliverables.
Findings report (markdown + PDF)
Each finding: file, line, severity, exploit chain, recommended fix, code snippet. PR-friendly format.
Draft pull requests
For straightforward fixes, we open the PR. Your engineer reviews, tunes, merges. Saves a sprint.
Dependency triage
Filtered list of dependencies that need attention. The signal-to-noise ratio matters more than the CVE count.
Threat-model gap list
Where the code disagrees with the documented threat model. Useful to update either the code or the model.
Engineer training notes
Patterns we saw repeatedly. Useful for adding to your internal code-review checklist or onboarding doc.
Retest
After fixes ship, we re-run the relevant slice and mark each finding resolved.
04. when
When teams hire us for this.
When a code review pays off.
Before a public launch
You are about to point real users at the system. A pre-launch code review catches the mistakes a pentest would not see from the outside.
After a major refactor
Auth rewrite, multi-tenancy added, payment integration in. Code review verifies the new path before customers find the holes.
After hiring you have not security-trained yet
Five new engineers shipped a sprint of new code. A code review surfaces what onboarding missed, before it ends up in production.
Compliance asks for it
SOC 2 and ISO 27001 reviewers increasingly expect evidence of independent code review.
05. faq
Questions before the call.
Code-review FAQ.
Do you use SAST tools?
Yes, as a starting point. The output is filtered to less than 10% before a human reads it. The report you receive is what humans found, not what scanners screamed about.
What languages do you cover?
JavaScript, TypeScript, Python, Go, Rust, Ruby, Java, C#, Swift, Kotlin, PHP. C and C++ on request. Other languages: ask.
What about IaC and config?
Infrastructure-as-code (Terraform, CloudFormation, Helm, Kustomize) is in scope by default for cloud-native projects. Ask if you need DevOps-config audit too.
Do you need full repo access?
No. Read-only access to the directories in scope is enough. If you cannot grant repo access, an export works.
Will the report include false positives?
Every finding is manually verified. Severity and exploitability are based on the actual code path, not the pattern match.
Want a human read of your code?
30-minute scoping call gets you a fixed fee, a written scope, and a finish-by date. We never bill by line of code reviewed.