Security Upgrades

Your application passed a security review two years ago. Since then, your team has shipped dozens of features, upgraded half your dependencies, and onboarded three new engineers. None of that triggered a new security review - and that is how most breaches begin.

The Change Healthcare breach exposed records for 190 million Americans. The attackers used stolen credentials to access a system that had no multi-factor authentication. The fix was known. It wasn’t applied. That pattern - known vulnerability, no remediation - is the most common root cause we find when we audit applications.

Security isn’t a project you complete. It’s a maintenance discipline. We help teams build that discipline without turning it into a full-time job.

What We Find in Security Audits

Most of the vulnerabilities we find aren’t exotic. They’re well-documented issues that got missed during feature development and never caught up to.

Dependency vulnerabilities with known CVEs

Your Gemfile.lock or package-lock.json is a snapshot of your risk surface at the time it was last updated. We regularly find applications running libraries with published CVEs rated 7.5 or higher on the CVSS scale - vulnerabilities that have working exploits and have been patched in newer versions. We audit your dependency tree, cross-reference against the NVD and GitHub Advisory Database, and provide a prioritized remediation list with upgrade paths that don’t break your application.

Authentication and session management gaps

We’ve found Rails applications storing session tokens in cookies without the secure flag, API endpoints accepting JWTs without signature verification, and Devise configurations with password reset tokens that never expire. These aren’t theoretical risks - they’re the kind of finding that shows up in breach post-mortems. We review your authentication flow end-to-end, including OAuth integrations, API key handling, and MFA implementation.

Injection and input handling

Automated scanners catch obvious SQL injection in dynamic queries. They miss N+1 vulnerabilities that leak data through timing, unsafe deserialization in background jobs, and mass assignment in Rails controllers where permit is too permissive. Manual code review finds what scanners miss. We look specifically at controller params, ActiveRecord queries, and any place user input touches a system call or file path.

Encryption gaps

TLS misconfiguration is common in applications that started before 2018 and haven’t had infrastructure audits since. We check your TLS version and cipher suite configuration, verify that sensitive fields (tokens, PII, payment data) are encrypted at rest, and review your key management practices. If you’re handling HIPAA or GDPR-regulated data, we map your encryption posture against those specific requirements.

Access control and privilege escalation

We look at whether your authorization logic is centralized or scattered across controllers, whether RBAC policies are actually enforced at the data layer, and whether there are admin endpoints protected only by a role check that can be bypassed. In multi-tenant applications, we specifically test for tenant isolation failures - the class of bug where one customer can read or modify another customer’s data.

How We Structure Security Engagements

Security work falls into three categories depending on what you need:

Point-in-time assessment - A one-time audit of your application, infrastructure, or both. We deliver a prioritized findings report with remediation guidance. Typical turnaround is 2-3 weeks depending on application size. This is appropriate if you need a baseline, are preparing for a SOC 2 audit, or want an independent review before a major release.

Remediation engagement - We don’t just find problems; we fix them. After an assessment, we can work through the findings with your team or implement fixes directly, depending on your team’s capacity. We’ve worked in codebases where the original developers were unavailable, and we document every change so your team understands what we did and why.

Ongoing security maintenance - A retainer arrangement for applications that need continuous coverage: monthly dependency scans, quarterly code reviews of new features, and on-call access for security questions as they arise. This is suited for applications in regulated industries or those handling sensitive financial or health data.

What we don’t do

We don’t do penetration testing against systems we don’t have authorization to test. We don’t produce compliance documentation for certifications we haven’t verified. If your situation requires a formal penetration test report for SOC 2 Type II or a specific regulatory requirement, we can help you scope that engagement correctly and connect you with the right resources.

Contact us to discuss your security situation. We’ll tell you what kind of engagement makes sense for your application and your timeline.