Read the code.Prove what scanners miss.

SecureLayer7 source code audit reviews JVM, Go, Python, Node, Rust, C/C++, PHP, and Ruby the way code actually ships: every sink traced by hand to a tainted source through sanitizers, aliases, and framework hops you inherit from upstream. Each verified issue ships with a working proof-of-exploit, a line-level fix diff, and an in-scope re-test so procurement hears outcomes, not tool noise.

Human-led review · Reachability-backed exploits · CREST-accredited reporting

See the methodology
One real line of code: db.exec with a SQL string concatenation. SOURCE label points at the user-derived token; SINK label points at db.exec. The sink is highlighted in orange as the proven finding, with a hairline trace showing data flow from source to sink.

Coverage

The full polyglot surface your teams maintain: JVM, Go, Python, Node, Rust, native code, PHP, Ruby. Reviewers spend time where ownership is fuzzy or risky.

Evidence

Working exploits plus patch-ready diffs. Nothing closes until engineers see reproducible impact tied to real branches.

Re-test included

Fix lands in your repo, we re-run the chain inside the same engagement. No surprise invoices for verification.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

on record ,

Accredited testers, audited handling.

CREST accredits our organisation and every tester on your engagement. CERT-In empanelment plus SOC 2 Type II and ISO/IEC 27001 controls govern how source artefacts, secrets, and engagement records are stored, accessed, and handed back.

CREST accredited
CREST
Accredited company & testers
CERT-In empanelled
CERT-In
Empanelled auditor
AICPA SOC 2 Type II
SOC 2 Type II
Independently audited
ISO/IEC 27001
ISO/IEC 27001
Information Security Management

Mapped to audit requirements across

  • SOC 2 Type II
  • ISO/IEC 27001
  • PCI DSS
  • HIPAA
  • GDPR
  • NIST CSF
  • FedRAMP
  • and others

Accreditations

  • AICPA SOC 2 Type II
  • CREST accredited
  • ISO/IEC 27001

Why your SAST stack needs a human

SAST flags 10k findings. We ship the three that pop.

Scanners score signatures, not whether untrusted data can still reach the sink. Follow one real chain: req.body.sort rides through ajv, slips into the ORM's raw() escape hatch, then reappears in ORDER BY ${col}. Three files, two reviewer passes, one tainted path your linter waved through. A 10k-finding backlog is not posture. You get the narrative from scoping to retest (source, every hop, sink), plus exploit proof, the patch engineers can merge, and a re-test that survives scrutiny.

Scanner column shows one orphaned dot; tester column threads three dots with a hairline trace ending on orange impact: proven chain from source through sink.
Scanner column shows one orphaned dot; tester column threads three dots with a hairline trace ending on orange impact: proven chain from source through sink.

IN SCOPE.

What we read in your codebase.

Four reading frames. We send back the three findings that actually pop, plus the patch path.

AUTHN + AUTHZ
Trust boundaries

Session, role, tenant checks. Where a request crosses a privilege line without a guard.

INPUT HANDLING
Injection surface

SQLi, command, deserialization, SSRF, template injection. Parser paths to a sink.

SECRETS + CRYPTO
Key handling

Hard-coded secrets, weak IVs, JWT alg confusion, custom crypto. Past the lint rule.

DEPENDENCIES
Transitive risk

Direct + transitive CVEs, with a reachable-path proof so dev can prioritise the real ones.

PAST STATIC SCANNERS.

The bug classes that pre-date the build and survive every scanner.

8
  1. 01
    Deserialization sink

    Java readObject, Python pickle.loads, .NET BinaryFormatter on attacker-controlled input. RCE primitives the scanner never traces.

  2. 02
    TOCTOU race

    Access check separated from the use, file open, signed-URL validation, payment-state read. Concurrent requests win the window.

  3. 03
    Integer overflow

    Unchecked arithmetic on Go uintptr or C size_t, allocation under-counts, heap layout exploit follows.

  4. 04
    String-concat SQL

    Parameterized everywhere except one logging path or one admin filter. The grep is fast, the auditor reads the call graph.

  5. 05
    Command injection path

    exec.Command with a shell wrapper, child_process.exec instead of execFile, user input flows through env var into a sub-process.

  6. 06
    Secrets in history

    Rotated key still in git log, .env committed to a feature branch, dependency lockfile pinned to a private registry token.

  7. 07
    Cryptographic misuse

    ECB mode, static IV, MD5 for password hashing, HMAC compared with non-constant-time equality. Reads as working code, fails at audit.

Scope ,

Seven stacks. Same depth on each.

Auditors who still ship production code in these stacks review yours by hand. We throttle depth based on trust boundaries and data sensitivity, with authentication surfaces, deserialisation paths, parsers, query builders, and IPC earning mandatory deep dives every time.

JVM, Java · Kotlin · Scala

Jackson polymorphic-typing gadgets (CVE-2017-7525 lineage), Spring SpEL / EL injection, JNDI / Log4Shell-style lookups, JDBC string concatenation, lock-order races on shared state, Servlet filter-bypass chains.

Go

Data races on shared maps and channels, `unsafe.Pointer` arithmetic across cgo bridges, raw-string SQL in `database/sql`, JWT `alg=none` acceptance, `text/template` over `html/template`, dependency-confusion in `go.mod` proxies.

Python

`pickle.loads` on user input, SSTI in Jinja / Mako templates, `eval` / `exec` reachable from request handlers, f-string SQL interpolation, `yaml.load` without `SafeLoader`, `subprocess(shell=True)` argument injection, path traversal via `os.path.join`.

Node · TypeScript

Prototype pollution through `lodash.merge` / `Object.assign`, ReDoS via catastrophic backtracking on user-controlled patterns, `child_process.exec` argument injection, JWT `alg` confusion, sandbox escape in `vm` / `node-serialize` patterns.

C · C++ · Rust unsafe

Buffer overflows, format-string bugs, use-after-free, double-free, OOB reads, integer / sign-conversion overflow in parsers and codecs · Rust `unsafe` audited for aliasing and invariant breaks across FFI boundaries.

PHP

LFI / RFI through `include` paths, object injection via `unserialize`, PHAR deserialisation gadgets, type-juggling (`==`) auth bypass, raw-SQL in legacy modules, `extract()` variable overwrites in framework caches.

Ruby · Rails

Mass assignment through `permit` gaps, `YAML.load` on user input, dynamic dispatch via `send` / `public_send`, raw-SQL in scope chains and `find_by_sql`, `Marshal.load` in cache stores, `constantize` on user input.

SOURCE CODE METHODOLOGY.

Eight phases. From clone to verified patch.

Sized to your repository topology, dependency graph, and code-ownership seams. Nothing is copy-pasted from a generic checklist, and no phase closes until engineers land fixes that survive a second review pass.

01

Scope & threat-model

Repositories, language mix, framework versions, ownership boundaries, and abuse cases captured in writing before the first clone.

02

Source recon

Dependency graph, transitive supply chain, externally reachable entry points, IPC seams, and build-pipeline choke points mapped for humans, not dashboards.

03

SAST triage

Scanner output becomes a ranked hypothesis list. Nothing auto-ships as a finding until a researcher validates exploitability.

04

Manual audit

Line-level passes on authentication, deserialisation, ORMs, parsers, IPC, filesystem touchpoints, and crypto helpers your threat model highlights.

05

Taint & data-flow tracing

Walk every sink backwards through validators, sanitisers, schema layers, and framework magic so partial mitigations cannot hide residual risk.

06

Exploit synthesis

Pair each accepted issue with a working PoC and business-weighted severity so patch order follows impact, not meeting theatre.

07

Remediation guidance

Concrete diffs, dependency bumps, config toggles, and safer framework patterns aimed at the engineer listed in CODEOWNERS.

08

Patch verification

Re-run exploits against the merged fix branch with written sign-off per closed path. Auditors see verified closure, not ticket churn.

Insights

Source code audit From the lab.

Same operators publishing tooling drops, CVE write-ups, and exploit teasers that mirror how they review customer code.

Meet our engagement lead

Engagement lead. John Dill.

John Dill

vCISO at SecureLayer7

300+

Audits scoped

10+

Years in code-level AppSec

98%

Findings closed on re-test

John owns the scoping conversations engineering leads keep on the calendar: repo topology, language mix, sensitive flows. He tells you where reviewers will spend weeks versus days, then stays accountable through remediation workshops so auditors talk to facts, not slide decks.

  • Maps reviews to business-critical modules across JVM, Go, Python, Node, PHP, and adjacent stacks.
  • Facilitates kick-off, mid-engagement risk reviews, and live exploit demos alongside your leads.
  • Tracks remediation and signs off on fixes only after a second technical pass.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Bring repos, dependency manifests, and your latest pentest summary. Thirty minutes with John locks languages, trust boundaries, and calendar realities.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Multi-tenant codebases, isolation invariants, secret-handling code paths.

See Tech SaaS pentest

FinTech

Trading-engine, settlement-engine, custody-vault code reviewed for invariants.

See FinTech pentest

HealthTech

EHR integration code, PHI-handling functions, consent-engine logic.

See HealthTech pentest

Built for United States engagements

What changes when we deliver here.

  • Compliance scoping

    NIST SSDF PS.1 / PW.4 / RV.1 line citations on every finding.

  • Regulatory framework

    CISA SSDF attestation form fields filled in by the report.

  • Local engagements

    Defense supplier passed CMMC L2 SI.L2-3.14.2 with this artifact.

  • Local pricing

    USD fixed-fee by KLOC band, no auto-renew clauses.

  • Compliance scoping

    CycloneDX 1.5 SBOM signed and included with each engagement.

Questions US engineering leads ask first.

  • Does this satisfy EO 14028 §4(e) self-attestation?

    Yes. The report mirrors CISA Secure Software Development Attestation Form fields and ships a CycloneDX 1.5 SBOM.

  • Will the audit hold up to SOX §404 ICFR review?

    Yes. Public-company clients use the review as evidence for change-management controls under PCAOB AS 2201.

  • Do you check NIST SP 800-161 Rev 1 supply-chain controls?

    Yes. Third-party dependencies, build-pipeline access and signing keys are checked against C-SCRM control families SR-3, SR-4 and SR-11.

  • How do you handle export-controlled or ITAR code?

    Review happens on US soil with US-person operators. NDA names the EAR/ITAR category. No cross-border data movement.

Delivery in United States

EO 14028 SSDF review. CycloneDX SBOM. SOX §404 ICFR.

Source review maps to NIST SP 800-218 SSDF PS.1, PW.4 and RV.1. CycloneDX SBOM ships with each report so federal customers can file the §4(e) self-attestation.

Direct line
+1-512-643-7291
Office
Austin, TX, United States

Frameworks scoped: SOC 2 · HIPAA · PCI DSS · NIST CSF · FedRAMP · CMMC.

Sample source-code audit report, chain · evidence · remediation · re-test

Sample engagement report

Preview the deliverable before you brief leadership.

Redacted excerpts include chain narrative, working exploit artefacts, line-level patch guidance, and re-test attestation from a recent engagement. After a 5-minute scoping sync we align examples with your languages so reviewers recognise their own patterns.