Secure Code Review

We read your application’s source code by hand to find the security vulnerabilities automated scanners miss. SAST tools catch common patterns: injection templates, hardcoded secrets, known vulnerable libraries. They cannot reason about architecture, business logic or the trust boundaries that decide whether a vulnerability is exploitable. Checklist tooling finds checklist vulnerabilities. We read code the way an attacker would and look for the gaps between what the developer intended and what the code enforces.

The person who scopes your review delivers it. We lead the work throughout.

Who this is for / when to test

• Significant change: you are building or refactoring a critical application, or approaching a major go-live.
• Compliance and assurance: you work in a regulated industry (finance, healthcare, government) where code-level security is mandated.
• Customer and tender requirements: buyers want assurance over a product they depend on.
• Post-incident: you need to confirm the root cause is fixed at source.
• Capability building: you want to establish secure development practices by understanding the weaknesses in your current codebase.

What we test

• Authentication and authorisation: login logic, session management, MFA enforcement, and consistent access-control checks at every layer; horizontal and vertical privilege escalation, IDOR and missing function-level checks.
• Trust boundaries: validation, sanitisation and authentication of data crossing from untrusted to trusted contexts.
• Cryptography and secrets: algorithm and key-length choices, password hashing (Argon2/bcrypt/scrypt), secure randomness for tokens, and secrets hardcoded in source or config.
• Injection and input handling: SQL and NoSQL injection, command injection, LDAP/XPath/XML injection, and unsafe deserialisation.
• Business logic and workflow: step-skipping, price and quantity manipulation, race conditions and TOCTOU, and state tampering.
• API security: authentication consistency, JWT validation, rate limiting, mass assignment, GraphQL controls and CORS policy.
• Dependencies and supply chain: known-vulnerable and abandoned libraries, plus Dockerfile and infrastructure-as-code misconfigurations.

Our methodology

We work to the OWASP Code Review Guide, validate coverage against the OWASP ASVS, and prioritise against the CWE Top 25. SAST supports the manual review; it does the groundwork while we do the analysis.

1. Scoping and architecture review: we discuss purpose, stack, deployment model and threat model, then identify the highest-risk components.
2. Tool-assisted baseline: we run SAST (Semgrep, CodeQL, SonarQube or language-specific scanners) to establish a baseline and catch the obvious issues.
3. Manual deep dive: we review critical components line by line and trace data flows from untrusted input through the application.
4. Exploitability confirmation: we build proof-of-concept where we can to separate theoretical issues from practical risk.
5. Reporting and debrief: we deliver findings with code references and fixes, then walk you through them live.
6. Remediation support and retest: we review your proposed fixes and retest to confirm they resolve the issue without introducing new ones.

Testing approaches

Secure code review is a white box activity: it requires source access. We tailor depth to risk. A focused review of the most security-critical modules (authentication, payments, admin, integrations) tends to deliver the most value per pound, and we can run a broader pass where budget and risk justify it. We agree the balance at scoping.

What you get

• An executive summary covering what we reviewed and the overall posture of the codebase.
• Technical findings with file path, line number, evidence and impact.
• Per-finding remediation at code level, plus secure-coding recommendations for your language and framework.
• A dependency health report with vulnerability status and upgrade advice.
• A CVSS severity rating alongside a business-risk rating.
• Same-day notification of any critical finding.
• A debrief call and a retest of remediated findings, both included.

We write reports by hand. Your board reads the executive summary; your engineers act on dev-ready detail.

FAQs

How long does a review take? It depends on volume and the proportion that is security-critical. Most focused reviews run five to ten days. We confirm at scoping once we have sized the codebase.

Will you need our source code? Yes. We review against the source, handled under NDA and access controls we agree with you.

Can it be done remotely? Yes. We deliver remotely from the UK.

Is this the same as a SAST scan? No. SAST is one input. We add the manual analysis of logic, architecture and trust boundaries that tools cannot evaluate.