🛡️ Sherlocked Security – Source Code Security Review
Uncover Vulnerabilities Before They Become Breaches
📄 1. Statement of Work (SOW)
Service Name: Source Code Security Review
Client Type: Product Companies, SaaS, FinTech, Startups, Enterprises
Service Model: Manual Review + SAST (Static Analysis Security Testing)
Compliance Coverage: OWASP ASVS, OWASP Top 10, NIST 800-53, PCI-DSS, ISO 27001, SOC 2
Testing Types:
- Full Codebase Review
- Targeted Module Review
- Pre-release Secure Code Audit
- CI/CD Pipeline Integration (optional)
🧠 2. Our Approach
🔍 Code-Focused | Logic-Aware | Developer-Centric
[Repo Access] → [Build Context] → [Automated SAST] → [Manual Code Review] → [Logic & Auth Checks] → [Secrets & Hardcoded Keys] → [Business Logic Abuse] → [Fix Advice + Developer Handoff]
🧪 3. Methodology
[Kickoff Call] → [Repo Access + Setup] → [Threat Modeling] → [Automated SAST Scan] → [Manual Review of Critical Paths] → [Security Anti-Pattern Identification] → [Findings + Recommendations] → [Dev Feedback Loop] → [Final Report + Retesting]
📦 4. Deliverables to the Client
- ✅ Code Risk Matrix
- 📘 Technical Report:
- Vulnerability Name
- Severity (CVSS v3.1)
- Affected Files/Modules
- Code Snippet + Line Numbers
- Exploit Scenario / PoC
- Root Cause
- Fix Guidance
- References
- 🧾 Executive Summary
- 📊 Visual Code Map (optional)
- 📽️ Walkthrough Session with Devs
- 🔁 Retesting After Fixes
- 🎓 Final Security Certificate
🤝 5. What We Need from You (Client Requirements)
- ✅ GitHub/GitLab/Bitbucket access or zipped codebase
- ✅ Build/run instructions
- ✅ Branch to review (e.g.,
main,release) - ✅ Tech stack overview
- ✅ Developer POC for clarification
- ✅ Threat model (if available)
🧰 6. Tools & Technology Stack
- 🛠️ Semgrep / SonarQube / CodeQL
- 🔍 GitLeaks / TruffleHog
- 🔐 Manual review via VSCode/Sublime
- 🧠 Custom code auditing scripts
- 📈 AST parsing tools (for JavaScript, Python, etc.)
🚀 7. Engagement Lifecycle (Lead → Closure)
1. Scoping → 2. NDA & Access Setup → 3. Kickoff & Onboarding → 4. Code Analysis (SAST + Manual) → 5. Draft Report → 6. Client Review Call → 7. Retesting & Final Report → 8. Certification
🌟 8. Why Sherlocked Security? (Our USP)
| Feature | Sherlocked Advantage |
|---|---|
| 🧠 Manual + Automated Hybrid | Static analysis + logic-focused review |
| 🔐 Developer-Friendly | Line-by-line fix advice in report |
| 📘 Business Logic Awareness | Beyond syntax – real abuse cases |
| 🔁 Free Retesting Round | Validates fixes at no extra cost |
| 📽️ Live Developer Sessions | Fix walkthroughs on call |
📚 9. Real-World Case Studies
🔑 Hardcoded AWS Secrets
Issue: Exposed IAM keys in config files
Impact: Cloud infrastructure compromised via CI/CD
Fix: Rotation, IAM policy hardening, use of env vars
🔒 Broken Authorization Logic
Client: FinTech Mobile App
Findings: Bypass via user_id manipulation
Our Role:
- Reviewed business logic
- Delivered fixed auth control patterns
Outcome: - Passed internal security audit
- Shipped update with secure logic patch
🛡️ 10. SOP – Standard Operating Procedure
- Onboarding + NDA
- Repo access & tech overview
- Identify code modules + attack surface
- Run static code analysis tools
- Manual review of auth, input, crypto, logic
- Detect secrets/hardcoded values
- Review error handling + API integrations
- Share findings & support fixes
- Retest updated code
- Handoff security certificate
📋 11. Sample Code Review Checklist (Preview)
- Perform static code analysis.
- Check for hardcoded secrets or credentials.
- Analyze input validation and sanitization.
- Review authentication and access control logic.
- Evaluate session and token management.
- Check for use of outdated or vulnerable libraries.
- Inspect cryptographic implementations.
- Analyze business logic for flaws.
- Review error handling and logging practices.
- Validate adherence to secure coding standards.
📬 Contact Us or 📅 Book a Consultation