Your SaaS runs on security

Security creates trust, and trust makes customers pay. So you've got to make sure that your application is secure:

Are our automatic Rails security audit scanners finding all security problems?
Where did all the time to research that security topic go?
What security problems should get focused attention and which not?
Which team member might need a little training on that one topic?
And are we following the latest Rails security best practices?

To answer these questions, you need to keep up with your application's security.

Security takes time - time that you don't have. And it's not a very visible feature. Your customers take security for granted. They would rather see That New Feature finally come to life.

Your team and automatic scanners take good care of security. But security is annoying. Software developers and security people need to wear two different hats all the time. So you suspect (or you know!) that after all the development, your team might not always switch the hats quick enough.

It's not that you're paranoid or something. But you need your application to follow the ever-changing security best practices. It's not that your team is sloppy, but it gets in the way and all they want is do their work.

What if you all could get what you wanted?

"The audit was very professional and made our applications so much more secure."
Christoph Hugo, Tolingo Translations

How much easier would your job be if you could be sure about security and it just took care of itself?

Imagine:

You'd be sure about the current state of your app's security
You could install new processes to prevent vulnerabilities from happening
Your team can wear the development more often than the security hat
You'd know what to focus on security-wise
More features get done, and security becomes a feature!
You could charge more

What if security would no longer be a hindrance, but a feature? Something that you can announce on your marketing website.

Manual Rails security audit

What makes a manual Rails security audit better?

10 years ago when I started with Rails security reviews, there were no automatic scanners. So I read the entire code and we fixed plenty of highs and lows.

Nowadays almost all applications that I audit run an automatic security scanner like brakeman. But still, those scanners don't discover an average of 3 highs per application. That's not because the tools are bad.

But those tools don't know for example:

that updating someone else’s credit card info isn’t allowed
that I shouldn’t be able to move documents to someone else's platform
React components, HAML or Slim views
CSS injection
Content-Security-Policy in-depth

What does a manual audit usually cover?

A manual code security check focuses on the logic of the application and the interaction of all parts. Plus:

The Open Web Application Project (OWASP) Top 10 vulnerabilities in web apps
Best practices for the OWASP Top 10, new HTTP security headers, SSL/TLS and the architecture
Gem-specific vulnerabilities
Ruby, Rails and JavaScript specialities
Unix or network security on request

The review will focus on the current state of security. But the report will also give recommendations how to take it to the next level.

Join our customers who fixed hundreds of pages of vulnerabilities to provide better apps to their own clients.

Let a manual Rails code audit take away the worry & hassle of security.

It's easier than you think

No need for a lengthy training, a short introduction is enough. After 10 years of Rails auditing, I know where to look. I'll run up the code or you'll provide me with a staging server.

Report with my findings

The first part of the report is color-coded according to the severity of the vulnerability. The second part contains my recommendations for how to fix it.

Affordable

Many security firms work with Big Business, and their price structure reflects that. I prefer to work with self-funded small businesses (like mine) at an affordable price point.

Available from tomorrow

I reserve special time slots for urgent projects, so let's start tomorrow.

"Heiko performed an audit of Churn Buster's card update page functionality and delivered a thorough, well-organized, and thoughtful report. His insights made it easy for us to prioritize improvements and get them on our roadmap along with non-security work."
Matt Goldman, Churnbuster

Questions

Are you qualified to do an audit?

I've done countless Rails audits in the last 10 years. One of the applications is probably very much like your's. I also wrote several books, guides & my thesis about Rails security. And I'm a member of OWASP where I worked on Ruby on Rails security guides.

Can we do an audit without you seeing the source code?

Yes and no. If you provide me with enough information it can work. But it will take longer and might not be 100%. The reason why all clients preferred a source code audit so far is that it's quicker and more accurate.

So I'll have to explain to you how the entire app works?

Most projects need only a few e-mails and I'm ready to start. Understanding how the app works in detail is a plus. But for a successful audit, I'll only need some technical details.

We're using X, can you still do an audit?

I specialise in Rails and its' common friends to deliver the best results. But I've also audited Go, Node and PHP apps. E-mail me about X and let's find out.

How much does it cost?

I'm running a self-funded small business, so my expenses and costs are lower. Please get your non-binding estimate below.

Can you sign a non-disclosure agreement?

Absolutely.

Can we do a test project?

Many clients develop several apps, so a natural division is doing one as a test project. That will give you the freedom to fix similar vulnerabilities in the other apps yourself. And I can immediately verify the fixes in the other apps if you want to continue the audit.

Will you also fix the vulnerabilities?

Often it will be easier for you to fix them based on my detailed recommendations with code examples. That's because your team knows the code better. But if you want, I can also help implementing.

Will anybody else see the code?

No, only me.

Can you verify our fixes afterwards?