A fixed-fee, fixed-scope security review of your OAuth2, OIDC, WebAuthn, or passkeys implementation — delivered in two weeks with an auditor-ready report.
algorithms: ['HS256', 'none']Algorithm confusion — accepts unsigned tokens
state = Math.random().toString()PKCE state is weak and skippable
session.maxAge = 86400 * 30Session lifetime exceeds 24 h recommendation
Industries & teams we have worked with
Three phases, fully predictable. Scope is fixed upfront so the price stays fixed.
ANALYZE
We perform a manual, standards-grounded code review of your authentication flows. Every finding is traced to its exact location in your code, mapped to an OWASP ASVS requirement or RFC, and rated by exploitability and impact.
This phase covers:
Fixed scope protects the fixed price. Everything below is agreed upfront.
Productized means predictable. Here's exactly what happens, day by day.
Fixed-fee, visible upfront. Prices exclude VAT (21% BTW/TVA, where applicable).
One authentication flow (e.g., OAuth2 login, WebAuthn registration, or SSO integration). One repository.
Book a scoping callUp to three flows, one repository. Includes federation and multi-tenant analysis if applicable.
Book a scoping callA short list of requirements that keeps the engagement on track and prevents delays.
Reviews are conducted against established standards and specifications. Every finding in the report is mapped to one or more of these standards, so your auditors and engineering team can verify against a known reference.
OWASP ASVS v4
Sections V2 (Authentication), V3 (Session Management), V7 (Cryptography)
OWASP Authentication & Session Management Cheat Sheets
OAuth 2.0 & extensions
RFC 6749, PKCE (RFC 7636), OAuth 2.0 for Native Apps (RFC 8252), Token Exchange (RFC 8693)
OpenID Connect Core 1.0
And relevant OpenID Foundation specifications
W3C WebAuthn Level 2 & FIDO2 / CTAP2
NIST SP 800-63B
Digital Identity Guidelines, Authentication Assurance
Confidentiality
Mutual NDA on every engagement. Code is accessed via read-only repository invite, processed in our local environment, and not retained beyond the engagement window.
Encrypted delivery
Final reports are delivered as password-protected PDFs, with passwords transmitted via a separate channel.
AI-assisted analysis
We use Anthropic Claude (via API) for code analysis under a data processing agreement that prohibits training on customer data. We do not use consumer AI products on client code.
No subprocessor uses your data for training
All AI and infrastructure subprocessors are contractually bound. Other model providers used (if any) are listed in our subprocessor register, available on request.
Liability
This engagement provides findings and recommendations. The client retains responsibility for assessing and implementing them. No security review can guarantee absence of vulnerabilities. This engagement is not a regulatory compliance attestation. Full terms and liability limits in our engagement letter.
No payment required. We confirm scope, answer questions, and quote within 24 hours.