Your client just asked: “Is it secure?”
A fixed-price security review of your Rails app by a senior engineer — 13 years of production Rails. Dependency CVEs, static analysis, and a manual read of the code paths attackers actually target. Report in 5–7 days.
Book an audit →What gets reviewed
Dependency & CVE Scan
bundler-audit + ruby-advisory-db. Every gem in your Gemfile.lock checked against known CVEs, prioritized by real exploitability — not just CVSS scores.
Static Analysis, Expert-Triaged
Brakeman across the full codebase. Every finding hand-verified, false positives removed. You get signal, not tool noise.
Authentication & Sessions
Password handling, session fixation, remember-me tokens, reset flows, MFA hooks. The front door, checked properly.
Authorization
IDOR checks, scope leaks, mass assignment, admin boundary review. The bugs that leak one customer's data to another.
Injection Surfaces
SQL injection via raw or interpolated queries, XSS escapes, command injection, unsafe deserialization.
Secrets & Config
Credentials handling, encrypted secrets, security headers, cookie flags, CSRF setup, production config hardening.
Fixed price. No hourly meter.
Turnaround 5–7 days from repo access.
Report
- Full dependency + CVE scan
- Brakeman with expert triage
- Manual code review
- Prioritized findings report (impact × effort)
- Fix guidance per finding
Report + Fixes
- Everything in Report
- Patch PRs for all critical findings
- Patch PRs for all high findings
- Fixes reviewed and test-covered
Full
- Everything in Report + Fixes
- Patches for medium/low findings
- Re-audit verification pass after fixes land
- Final clean-bill report
Your client asked about security.
You don't need a security hire.
I audit your client's Rails app; you deliver the results under your brand. Unbranded or agency-branded report, your markup, your client relationship — I stay invisible. One agency partner typically sends multiple apps per year: every project you ship is an audit your client will pay for.
See the deliverable before you buy
See exactly what you get — findings format, severity scoring, and fix guidance.
View a sample report →Straight answers
Is this a penetration test?
No, and I won't pretend it is. This is a code-level security review: I read your code and dependencies the way an attacker-aware senior engineer does. Dynamic/network penetration testing is a different discipline — if you need it, I'll say so and can refer you.
What access do you need?
Read access to the repository. No production access, no database, no customer data.
What if you find nothing serious?
Then the report says so, with evidence — that's a result your client can take to their stakeholders. Most audits find something worth fixing.
Which Rails versions?
Rails 4 through 8. Old versions are where the findings live.
How is this so much cheaper than the big firms?
Same core scope the $10k firms sell — dependency analysis, Brakeman with expert triage, manual review — minus the agency overhead. One senior engineer, fixed price.