Read the code.Prove what scanners miss.

SecureLayer7 source code audit reviews JVM, Go, Python, Node, Rust, C/C++, PHP, and Ruby the way code actually ships: every sink traced by hand to a tainted source through sanitizers, aliases, and framework hops you inherit from upstream. Each verified issue ships with a working proof-of-exploit, a line-level fix diff, and an in-scope re-test so procurement hears outcomes, not tool noise.

Human-led review · Reachability-backed exploits · CREST-accredited reporting

See the methodology
One real line of code: db.exec with a SQL string concatenation. SOURCE label points at the user-derived token; SINK label points at db.exec. The sink is highlighted in orange as the proven finding, with a hairline trace showing data flow from source to sink.

Coverage

The full polyglot surface your teams maintain: JVM, Go, Python, Node, Rust, native code, PHP, Ruby. Reviewers spend time where ownership is fuzzy or risky.

Evidence

Working exploits plus patch-ready diffs. Nothing closes until engineers see reproducible impact tied to real branches.

Re-test included

Fix lands in your repo, we re-run the chain inside the same engagement. No surprise invoices for verification.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

on record ,

Accredited testers, audited handling.

CREST accredits our organisation and every tester on your engagement. CERT-In empanelment plus SOC 2 Type II and ISO/IEC 27001 controls govern how source artefacts, secrets, and engagement records are stored, accessed, and handed back.

CREST accredited
CREST
Accredited company & testers
CERT-In empanelled
CERT-In
Empanelled auditor
AICPA SOC 2 Type II
SOC 2 Type II
Independently audited
ISO/IEC 27001
ISO/IEC 27001
Information Security Management

Mapped to audit requirements across

  • SOC 2 Type II
  • ISO/IEC 27001
  • PCI DSS
  • HIPAA
  • GDPR
  • NIST CSF
  • FedRAMP
  • and others

Accreditations

  • CERT-In empanelled auditor
  • CREST accredited
  • ISO/IEC 27001

Why your SAST stack needs a human

SAST flags 10k findings. We ship the three that pop.

Scanners score signatures, not whether untrusted data can still reach the sink. Follow one real chain: req.body.sort rides through ajv, slips into the ORM's raw() escape hatch, then reappears in ORDER BY ${col}. Three files, two reviewer passes, one tainted path your linter waved through. A 10k-finding backlog is not posture. You get the narrative from scoping to retest (source, every hop, sink), plus exploit proof, the patch engineers can merge, and a re-test that survives scrutiny.

Scanner column shows one orphaned dot; tester column threads three dots with a hairline trace ending on orange impact: proven chain from source through sink.
Scanner column shows one orphaned dot; tester column threads three dots with a hairline trace ending on orange impact: proven chain from source through sink.

IN SCOPE.

What we read in your codebase.

Four reading frames. We send back the three findings that actually pop, plus the patch path.

AUTHN + AUTHZ
Trust boundaries

Session, role, tenant checks. Where a request crosses a privilege line without a guard.

INPUT HANDLING
Injection surface

SQLi, command, deserialization, SSRF, template injection. Parser paths to a sink.

SECRETS + CRYPTO
Key handling

Hard-coded secrets, weak IVs, JWT alg confusion, custom crypto. Past the lint rule.

DEPENDENCIES
Transitive risk

Direct + transitive CVEs, with a reachable-path proof so dev can prioritise the real ones.

PAST STATIC SCANNERS.

The bug classes that pre-date the build and survive every scanner.

8
  1. 01
    Deserialization sink

    Java readObject, Python pickle.loads, .NET BinaryFormatter on attacker-controlled input. RCE primitives the scanner never traces.

  2. 02
    TOCTOU race

    Access check separated from the use, file open, signed-URL validation, payment-state read. Concurrent requests win the window.

  3. 03
    Integer overflow

    Unchecked arithmetic on Go uintptr or C size_t, allocation under-counts, heap layout exploit follows.

  4. 04
    String-concat SQL

    Parameterized everywhere except one logging path or one admin filter. The grep is fast, the auditor reads the call graph.

  5. 05
    Command injection path

    exec.Command with a shell wrapper, child_process.exec instead of execFile, user input flows through env var into a sub-process.

  6. 06
    Secrets in history

    Rotated key still in git log, .env committed to a feature branch, dependency lockfile pinned to a private registry token.

  7. 07
    Cryptographic misuse

    ECB mode, static IV, MD5 for password hashing, HMAC compared with non-constant-time equality. Reads as working code, fails at audit.

Scope ,

Seven stacks. Same depth on each.

Auditors who still ship production code in these stacks review yours by hand. We throttle depth based on trust boundaries and data sensitivity, with authentication surfaces, deserialisation paths, parsers, query builders, and IPC earning mandatory deep dives every time.

JVM, Java · Kotlin · Scala

Jackson polymorphic-typing gadgets (CVE-2017-7525 lineage), Spring SpEL / EL injection, JNDI / Log4Shell-style lookups, JDBC string concatenation, lock-order races on shared state, Servlet filter-bypass chains.

Go

Data races on shared maps and channels, `unsafe.Pointer` arithmetic across cgo bridges, raw-string SQL in `database/sql`, JWT `alg=none` acceptance, `text/template` over `html/template`, dependency-confusion in `go.mod` proxies.

Python

`pickle.loads` on user input, SSTI in Jinja / Mako templates, `eval` / `exec` reachable from request handlers, f-string SQL interpolation, `yaml.load` without `SafeLoader`, `subprocess(shell=True)` argument injection, path traversal via `os.path.join`.

Node · TypeScript

Prototype pollution through `lodash.merge` / `Object.assign`, ReDoS via catastrophic backtracking on user-controlled patterns, `child_process.exec` argument injection, JWT `alg` confusion, sandbox escape in `vm` / `node-serialize` patterns.

C · C++ · Rust unsafe

Buffer overflows, format-string bugs, use-after-free, double-free, OOB reads, integer / sign-conversion overflow in parsers and codecs · Rust `unsafe` audited for aliasing and invariant breaks across FFI boundaries.

PHP

LFI / RFI through `include` paths, object injection via `unserialize`, PHAR deserialisation gadgets, type-juggling (`==`) auth bypass, raw-SQL in legacy modules, `extract()` variable overwrites in framework caches.

Ruby · Rails

Mass assignment through `permit` gaps, `YAML.load` on user input, dynamic dispatch via `send` / `public_send`, raw-SQL in scope chains and `find_by_sql`, `Marshal.load` in cache stores, `constantize` on user input.

SOURCE CODE METHODOLOGY.

Eight phases. From clone to verified patch.

Sized to your repository topology, dependency graph, and code-ownership seams. Nothing is copy-pasted from a generic checklist, and no phase closes until engineers land fixes that survive a second review pass.

01

Scope & threat-model

Repositories, language mix, framework versions, ownership boundaries, and abuse cases captured in writing before the first clone.

02

Source recon

Dependency graph, transitive supply chain, externally reachable entry points, IPC seams, and build-pipeline choke points mapped for humans, not dashboards.

03

SAST triage

Scanner output becomes a ranked hypothesis list. Nothing auto-ships as a finding until a researcher validates exploitability.

04

Manual audit

Line-level passes on authentication, deserialisation, ORMs, parsers, IPC, filesystem touchpoints, and crypto helpers your threat model highlights.

05

Taint & data-flow tracing

Walk every sink backwards through validators, sanitisers, schema layers, and framework magic so partial mitigations cannot hide residual risk.

06

Exploit synthesis

Pair each accepted issue with a working PoC and business-weighted severity so patch order follows impact, not meeting theatre.

07

Remediation guidance

Concrete diffs, dependency bumps, config toggles, and safer framework patterns aimed at the engineer listed in CODEOWNERS.

08

Patch verification

Re-run exploits against the merged fix branch with written sign-off per closed path. Auditors see verified closure, not ticket churn.

Insights

Source code audit From the lab.

Same operators publishing tooling drops, CVE write-ups, and exploit teasers that mirror how they review customer code.

Meet our engagement lead

Engagement lead. John Dill.

John Dill

vCISO at SecureLayer7

300+

Audits scoped

10+

Years in code-level AppSec

98%

Findings closed on re-test

John owns the scoping conversations engineering leads keep on the calendar: repo topology, language mix, sensitive flows. He tells you where reviewers will spend weeks versus days, then stays accountable through remediation workshops so auditors talk to facts, not slide decks.

  • Maps reviews to business-critical modules across JVM, Go, Python, Node, PHP, and adjacent stacks.
  • Facilitates kick-off, mid-engagement risk reviews, and live exploit demos alongside your leads.
  • Tracks remediation and signs off on fixes only after a second technical pass.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Bring repos, dependency manifests, and your latest pentest summary. Thirty minutes with John locks languages, trust boundaries, and calendar realities.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Multi-tenant codebases, isolation invariants, secret-handling code paths.

See Tech SaaS pentest

FinTech

Trading-engine, settlement-engine, custody-vault code reviewed for invariants.

See FinTech pentest

HealthTech

EHR integration code, PHI-handling functions, consent-engine logic.

See HealthTech pentest

Built for India engagements

What changes when we deliver here.

  • Compliance scoping

    MeitY secure-coding advisories referenced per language

  • Regulatory framework

    RBI third-party software clause covered in vendor inventory

  • Local engagements

    On-prem review in Mumbai or Pune when source cannot travel

  • Local pricing

    INR pricing per kLOC with GST invoice

  • Compliance scoping

    SBOM annexure formatted for SEBI CSCRF Identify-2

Code review questions Indian CISOs raise.

  • Does the audit cover the RBI third-party software clause?

    Yes. The vendor library inventory, license review and known-CVE check map to RBI Master Direction Annex 1 third-party controls.

  • Do you handle code that cannot leave India?

    Yes. Reviewers work on a sandbox you host in Mumbai or Pune. No source leaves your network. Audit pack includes a residency attestation.

  • What languages and frameworks do you cover?

    Java, Kotlin, Go, Python, Node, .NET and Solidity. Each finding shows the file path, line, and the secure-coding rule violated.

  • How are findings packaged for SEBI CSCRF Identify-2?

    Each finding tags an Identify-2 control. The SBOM and dependency tree ship as an annexure your SEBI auditor can attach to the workbook.

Delivery in India

Code audit for RBI and SEBI supply-chain clauses.

Static and manual review against MeitY secure-coding advisories and CERT-In supply-chain notes. Findings cite the file, line and the control clause.

Direct line
+91-20-71600505
Office
Pune, Maharashtra, India

Frameworks scoped: CERT-In · DPDP Act · RBI CSF · SEBI CSCRF · ISO/IEC 27001 · PCI DSS.

Sample source-code audit report, chain · evidence · remediation · re-test

Sample engagement report

Preview the deliverable before you brief leadership.

Redacted excerpts include chain narrative, working exploit artefacts, line-level patch guidance, and re-test attestation from a recent engagement. After a 5-minute scoping sync we align examples with your languages so reviewers recognise their own patterns.