services / source-code-review

The Bug
Lives
in the Code

Automated scanners find the obvious. Our security engineers read your code the way an attacker would — tracing data flows, chaining logic flaws, and finding vulnerabilities that no tool will ever surface.

Request Code Review See Results →
auth.py
db_query.js
crypto.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
import hashlib, sqlite3 def login(username, password): conn = sqlite3.connect("users.db") # ⚠ SQL INJECTION — user input unsanitisedCRITICAL query = f"SELECT * FROM users WHERE " f"user='{username}' AND pwd='{password}'" result = conn.execute(query).fetchone() if result: return generate_token(result[0]) def hash_password(pwd): # ⚠ WEAK HASH — MD5 is cryptographically brokenHIGH return hashlib.md5(pwd.encode()).hexdigest() # ✅ FIXED: use parameterised queries + # bcrypt with cost factor ≥ 12
vulnerability classes

What We Find

Every review covers the full OWASP Top 10 and beyond — manual analysis combined with custom SAST tooling tuned to your stack.

injection.py / sqli.js CRITICAL
Injection Flaws

SQL, NoSQL, LDAP, OS command, and SSTI injection — tracing unsanitised input from entry point to database or system call, including second-order injection and ORM-level bypasses.

PythonJavaPHPNode.jsGo
crypto_util.java CRITICAL
Cryptography Weaknesses

Broken algorithms (MD5, SHA1, DES, ECB mode), hardcoded IV/keys, predictable random number generation, insecure key storage, and custom crypto implementations that should never exist.

JavaC#PythonKotlin
.env / config.yml CRITICAL
Hardcoded Secrets

API keys, database credentials, JWT signing secrets, cloud access tokens, and private keys hardcoded in source files, config files, build scripts, and git history.

All LanguagesYAMLGit History
auth_middleware.ts HIGH
Authentication & Authorisation

Broken auth logic, missing authorisation checks, JWT algorithm confusion (alg:none), mass assignment, IDOR, privilege escalation paths, and insecure session management.

TypeScriptJavaScriptGoRuby
renderer.js / template.php HIGH
XSS & Template Injection

Reflected, stored, and DOM-based XSS, server-side template injection (SSTI), unsafe innerHTML usage, missing Content-Security-Policy, and dangerous eval() / dangerouslySetInnerHTML patterns.

JavaScriptReactPHPJinja2
file_handler.py HIGH
Insecure File Operations

Path traversal, unsafe deserialization, unrestricted file uploads, XXE in XML parsers, zip slip vulnerabilities, and insecure temporary file handling that enables arbitrary read/write.

PythonJavaPHPC#
how we work

Review Methodology

Manual-first analysis with tooling assist — our engineers read your code, not just run scanners against it.

// PHASE 01

Codebase Intake & Scope

Receive source via secure Git access or encrypted archive. Map technology stack, frameworks, and entry points. Define high-value targets — auth flows, payment logic, admin functions, and API endpoints.

// PHASE 02

Automated SAST Scan

Run Semgrep, Bandit, ESLint Security, and CodeQL with custom rule sets tuned to your stack. Triage and de-duplicate findings — filtering false positives before manual review begins.

// PHASE 03

Manual Data Flow Analysis

Trace all user-controlled input from source to sink — manually following data through business logic, across service boundaries, through ORMs, and into storage to find what SAST tools miss entirely.

// PHASE 04

Business Logic Review

Review application-specific logic — transaction flows, access control decisions, state machine flaws, race conditions, and workflow bypasses that require understanding the application's intent to identify.

// PHASE 05

Dependency & Supply Chain Audit

Audit third-party dependencies for known CVEs, abandoned packages, typosquatting risks, and overly-permissive library versions. Review npm, Maven, pip, and Gradle lockfiles for supply chain exposure.

// PHASE 06

Annotated Report & Fix Review

Deliver findings as annotated code with line-level references, severity ratings, and exact fix recommendations. Optional: review developer fixes before merge and provide a cleared retest confirmation.

languages & tools

What We Support

We review codebases in every major language and framework — no stack is out of scope.

🐍
Python
Java
🟨
JavaScript
🔷
TypeScript
🐘
PHP
🦫
Go
💎
Ruby
🦀
Rust
©️
C / C++
🔵
C# / .NET
📱
Swift
🤖
Kotlin
sast & analysis tools
Semgrep CodeQL Bandit ESLint Security SonarQube Checkmarx Snyk Code SpotBugs Brakeman PMD GitLeaks TruffleHog OWASP Dependency-Check Retire.js Safety (Python) npm audit Grype Custom Semgrep Rules
deliverables

What You Get

findings_report.pdf

Annotated Findings Report

Every vulnerability documented with file path, line number, severity, CVSS score, proof-of-concept explanation, and exact code-level fix recommendations ready for developers.

exec_summary.pdf

Executive Summary

A non-technical summary of overall code security posture, risk exposure, and top priority fixes — written for engineering leadership and CISOs, not developers.

findings.csv / SARIF

Machine-Readable Output

All findings exported in SARIF format for direct import into GitHub Advanced Security, GitLab, and Jira — so developers can action findings without leaving their workflow.

retest_confirmation.pdf

Free 30-Day Retest

After your developers remediate, we review the fixed code and issue a retest confirmation — verifying that vulnerabilities are genuinely resolved, not just patched superficially.

debrief_call.cal

Developer Debrief Session

A live walkthrough with your engineering team — explaining attack scenarios for each finding, answering fix questions, and advising on secure coding patterns to prevent recurrence.

nda_protected.lock

NDA & Source Code Protection

All source code is received via encrypted channel, reviewed in an air-gapped environment, and permanently deleted within 30 days of report delivery. Your IP is fully protected.

// ship secure code

Find the Flaws
Before Merge

Send us your repository — we'll review it line by line and return findings your developers can act on immediately. Most codebases reviewed within 5–10 business days.

Request Code Review See Past Results