OWASP Top 10 Application Audit
Structured assessment against OWASP Top 10 (2021): A01 Broken Access Control (IDOR accessing /api/orders/123 without ownership), A02 Cryptographic Failures (bcrypt/Argon2 passwords, TLS config), A03 Injection (SQL, NoSQL, OS command), A04 Insecure Design (threat modelling), A05 Security Misconfiguration (default creds, verbose errors), A06 Vulnerable Components (dependency CVEs), A07 Authentication Failures (brute force protection, session management), A08 Software Integrity Failures (CI/CD security), A09 Logging Failures, A10 SSRF. Deliverable: OWASP Top 10 assessment report with per-category findings, severity ratings, remediation guidance.
Cloud Infrastructure Security Review
AWS account security assessment: IAM audit (root MFA, no long-lived access keys, IAM Access Analyzer), network security (VPC security groups any SGs open to 0.0.0.0/0 on non-standard ports? DB accessible from internet?), S3 security (public access block, bucket policies), encryption audit (RDS/EBS/S3 encryption, Secrets Manager vs hardcoded), monitoring (CloudTrail all regions, CloudWatch alarms, GuardDuty enabled, Security Hub), AWS Trusted Advisor security checks.
Code Security Review
Manual and automated security review of application code: SAST tool findings review (Semgrep, CodeQL triage, eliminate false positives), manual code review (authentication and authorisation implementation permissions checked at every endpoint), secret scanning (GitLeaks historical scan of full Git history for hardcoded API keys, DB credentials, private keys), dependency audit (npm audit, pip audit CVEs in third-party packages), third-party code review (open-source libraries for security-critical functions JWT validation, cryptography, OAuth).
Security Headers & TLS Audit
HTTP security header assessment: Content-Security-Policy (XSS mitigation), Strict-Transport-Security (HSTS forces HTTPS), X-Content-Type-Options (nosniff), X-Frame-Options (clickjacking protection), Permissions-Policy, Referrer-Policy. TLS configuration: SSL Labs assessment TLS version (TLS 1.2 minimum, 1.3 preferred), cipher suites, certificate validity. Tools: SecurityHeaders.com, SSL Labs, Mozilla Observatory.
SOC 2 / GDPR Security Readiness
Gap assessment against specific compliance frameworks: SOC 2 Trust Service Criteria (Security, Availability, Confidentiality) mapped against current controls, identifying remediation gaps before audit, GDPR Article 32 (technical and organisational security measures encryption, access controls, incident response, data minimisation), ISO 27001 gap assessment against Annex A controls, HIPAA Security Rule technical safeguards (encryption, access control, audit controls, integrity). Deliverable: compliance gap report with prioritised remediation roadmap for each applicable framework.