Security Code Review
A senior engineer reads your code and finds the security problems an automated scanner misses and a demo never shows. You end up with a clear document: what is wrong, how serious it is, and exactly how to fix it.
Manual analysis, backed by tooling, not an auto-generated report. Tools find patterns; senior judgement decides what is a real problem, how serious it is in the context of your application, and how to fix it. The difference shows in the deliverable: not a list of 300 warnings, but the findings that matter, triaged and explained.
What I check
- Authentication and authorization: cross-account access (IDOR), privilege escalation, sessions and tokens
- Injection: SQL, system commands, XSS, unsafe deserialization
- Secrets and configuration: keys and passwords in code, committed .env, secrets in git history
- Dependencies: packages with known vulnerabilities (CVE)
- Data handling: server-side validation, encryption, password hashing, personal-data exposure
- Error handling: silent failures, information leaks, logging and monitoring
- Sensitive flows: payments, personal data, irreversible operations
- AI-built code: the typical patterns that appear when code is generated fast, without engineering oversight
What you get
- A written, professionally structured report: a one-page executive summary for the decision-maker, plus detailed findings for the technical team.
- Each issue with severity, exact location (file:line), evidence, impact, and the concrete fix, with code.
- A remediation plan prioritised by risk: what to fix in 24 hours, what this sprint, what is technical debt.
- A handover session (30 - 60 min): I walk through every finding with your team.
- A re-check included: once you implement the fixes, I confirm in writing what is closed.
See a sample report → (example document, with fictional data, in Romanian)
How long it takes
It depends on the size of the codebase: from 2 - 3 days for a small application, up to 1 - 2 weeks for a medium one. Fixed price, fixed duration, set after a 20-minute evaluation call. No "it depends" along the way: the scope is listed in the offer before we start.
Honest, to avoid misunderstandings. This is a commercial code-review service. It is not a penetration test (active attack), it does not cover infrastructure, and it is not an "audit de securitate cibernetică" within the meaning of Romania's OUG 155/2024 - COXSWAIN is not a DNSC-attested auditor. If that is what you need, I will tell you directly and point you to an attested auditor.
How we work
- A 20-minute call. What you have, what worries you. Free, no commitment.
- A fixed-price, fixed-duration offer, in writing, with deliverables listed.
- Execution, without stopping your production.
- Report and handover session with your team.
- Re-check after you fix.
I work confidentially. I sign an NDA if needed, before seeing a line of code.