Researcher Login
Client Login
SECURE CODE REVIEW

CREST-Certified Secure Code Review for UK Businesses

Secure code review combines manual expert review with automated SAST tooling. We support Java, Python, JavaScript, TypeScript, Go, C#/.NET, Ruby, PHP, Rust, Kotlin, and Swift. Aligned to OWASP ASVS, OWASP Top 10, OWASP API Top 10, and CWE Top 25. ISO 27001 Annex A.14.2 secure development evidence.

CREST Member · Verify ↗
Secure Code Review
OWASP ASVS · CWE TOP 25
Manual + Automated SAST
11 LANGUAGES
Java · Python · JS · Go · C# · Rust
CREST
Approved Provider
OWASP
ASVS Aligned
FREE
Retest Included
24h
Scope to Active Test
40%
of vulnerabilities found in production were introduced in code that passed automated SAST. Manual review catches what tools miss.

SAST tools find patterns. Code reviewers find logic.

Modern SAST tools (Snyk, Semgrep, SonarQube, Veracode, Checkmarx) catch known patterns — SQL injection sinks, hardcoded credentials, deprecated crypto. They cannot tell you whether your authorisation logic correctly enforces tenant boundaries, whether your race-condition-prone payment endpoint can be exploited, or whether your custom JWT validation has a subtle signature-bypass flaw.

Our secure code review combines automated SAST tooling for breadth (Semgrep, CodeQL, language-specific tools) with manual expert review for depth (authorisation logic, business-logic flaws, race conditions, custom crypto). Reports map to OWASP ASVS levels (L1, L2, L3), CWE Top 25, OWASP Top 10, and OWASP API Top 10. Findings ship with example patch code, not just abstract recommendations. Reports satisfy ISO 27001 Annex A.14.2 secure development requirements.

CODE REVIEW LANGUAGES + COVERAGE

What Secure Code Review Covers

Manual review by language-specialist consultants. Automated SAST baseline. Aligned to OWASP ASVS L1/L2/L3 verification levels.

CR-1

Java & Kotlin

Spring Boot, Jakarta EE, Android, JVM frameworks. JNDI, deserialization, Spring Security, JWT validation, race conditions in concurrent code.

CR-2

Python

Django, Flask, FastAPI, async patterns. Template injection, pickle deserialization, SQL injection in ORMs, OAuth flow validation.

CR-3

JavaScript & TypeScript

Node.js, Express, Nest, Next.js, React, Vue. Prototype pollution, ReDoS, npm supply chain, JWT verification, server-side request forgery.

CR-4

Go

Gin, Echo, Fiber, gRPC. Race conditions in goroutines, deserialization, custom crypto, context-handling timeout / cancel-token misuse.

CR-5

C# / .NET

ASP.NET Core, MVC, Entity Framework. Deserialization, identity / authorisation flaws, JWT validation, SignalR security.

CR-6

Ruby & Rails

Mass assignment (strong parameters), template injection, pickle / Marshal deserialization, ActiveRecord SQL injection patterns.

CR-7

PHP

WordPress / Drupal / Magento extension review, deserialization (phpggc), SQL injection in PDO, OAuth flows, file-upload validation.

CR-8

Rust

Memory safety (despite the language) — unsafe blocks, panic-prone code, dependency review (cargo-audit), serde deserialization.

CR-9

Swift & Objective-C

iOS app code review (use Mobile Pen Testing for runtime). Memory management, Keychain usage, certificate pinning code.

CR-10

Smart Contracts

Solidity, Vyper, Move, Cairo (use Smart Contract Audit page for full DeFi engagement). Code-review-only engagements available.

CR-11

OWASP ASVS Verification

L1 (basic), L2 (standard), L3 (advanced). Each finding pre-mapped to ASVS verification ID. Audit-grade evidence pack.

CR-12

SAST Tool Integration

Semgrep, CodeQL, Snyk, SonarQube, Checkmarx, Veracode integration. Existing tool tuning and false-positive reduction.

FOUR-PHASE METHODOLOGY

Secure Code Review — From Codebase to ASVS Evidence

Manual + automated combined. OWASP ASVS verification level assigned. Findings shipped with example patch code.

1

Codebase Walkthrough

Initial walkthrough with engineering team. Architecture review, dependency audit, threat-model alignment, scope agreement.
2

Automated SAST Baseline

Language-specific SAST tools run (Semgrep, CodeQL, Snyk, SonarQube). Findings de-duplicated, false positives filtered, baseline established.
3

Manual Expert Review

Manual review by language-specialist consultant. Authorisation logic, business-logic flaws, race conditions, custom crypto, integration assumptions.
4

Report & Patch Examples

OWASP ASVS-mapped findings, CVSS scoring, example patch code per finding. Free retest within 30 days. Direct engineer access via portal.

Verified Accreditations Auditors Accept

Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.

ISO 9001
ISO 27001
UK Cyber Security Council
Crown Commercial Service Supplier
COMPLIANCE READY

Code Review Reports Mapped to Every Framework

Secure development evidence accepted across compliance frameworks where source-code-level review is a control requirement.

ISO 27001 A.14.2

Security in development and support processes — secure code review is core evidence for A.14.2.1 secure development policy.

OWASP ASVS L1/L2/L3

Application Security Verification Standard — findings tagged to specific ASVS verification IDs for direct submission to audit teams.

SOC 2 Type II

CC7.1 vulnerability identification at the source-code layer. CC8.1 change management evidence — code review is a documented change control.

PCI DSS Req 6.5

Secure development requirements — Req 6.5.1 through 6.5.10 specifically mandate manual review of common vulnerability classes.

NCSC Secure Development

UK government Secure Development guidance for application security — code review is the foundational control.

NIS2 + DORA

Application-layer secure development evidence for essential services and financial entities. ISO 27001 A.14.2 alignment satisfies both.

TRANSPARENT PRICING

Transparent Secure Code Review Pricing

All tiers include manual + automated SAST. Price varies by codebase size, language complexity, and ASVS verification level.

FOCUSED MODULE
£3,500 – £8,000
Depends on codebase size

Single module / library / microservice. ≤10,000 LOC. Single language. ASVS L1/L2 verification. Typically 3-5 day review.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation
MOST COMMISSIONED
APPLICATION
£8,000 – £20,000
Depends on codebase size

Full application — frontend + backend. 10,000-50,000 LOC. 2-3 languages. ASVS L2 verification. Typically 7-12 day review.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation
ENTERPRISE / MICROSERVICE
£20,000+
Depends on codebase size

Multi-service architecture, polyglot codebase, 50,000+ LOC, ASVS L3 verification, supply-chain audit included. Typically 12-20+ day review.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation

Secure Code Review for Your Sector

Different sectors have different language stacks and threat models. We tailor code review to your environment.

FINTECH

Fintech

FCA-regulated firms, Open Banking, payment APIs, PCI scoping.
SAAS

SaaS

Multi-tenant isolation, SSO/SAML/OIDC, customer-data perimeter, SOC 2 evidence.
HEALTHCARE

Healthcare

NHS DSPT, NHS DTAC, EHR integration, telehealth, patient-data PII.
INSURANCE

Insurance

FCA / PRA Operational Resilience, claims data, broker integrations, cyber underwriting evidence.
LAW FIRMS

Law

Privileged-data confidentiality, partner-tier scrutiny, SRA Cyber Standard alignment.
PUBLIC SECTOR

Public Sector

CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.

What You Actually Get

Five things that distinguish our service from automated scans and box-tick competitors.

🎯

What You Get From Secure Code Review

Manual + automated SAST review, language-specialist consultants, OWASP ASVS-mapped findings, example patch code, free retest within 30 days.
🔬

Manual + Automated Combined

SAST tools for breadth, manual expert review for depth. Language-specialist consultants for the specific framework / library / pattern your codebase uses.
📋

OWASP ASVS L1/L2/L3 Aligned

Findings pre-mapped to ASVS verification IDs. Audit-grade evidence pack ready for ISO 27001, SOC 2, PCI DSS submission.
🔧

Patch Examples Included

Every finding ships with example patch code in your language. Engineers fix faster. Your security team has reference material.
🇬🇧

UK CREST + IASME + ISO 27001 + ISO 9001

Independently accredited. UK-based language-specialist consultants. Reports accepted by every UK auditor.

Frequently Asked

What is secure code review?

Secure code review is the manual + automated review of source code for security vulnerabilities. It catches issues that runtime testing (pen testing) cannot — particularly authorisation logic flaws, business-logic vulnerabilities, race conditions, and custom cryptography. Aligned to OWASP ASVS verification levels (L1, L2, L3).

How is code review different from pen testing?

Pen testing is black-box / runtime — finds vulnerabilities reachable from outside. Code review is white-box / source-level — finds vulnerabilities at any depth, including those that aren’t reachable through normal application use. Use both: pen testing for external attack surface, code review for development-phase assurance.

What languages do you support?

Java, Kotlin, Python, JavaScript, TypeScript, Go, C#/.NET, Ruby, PHP, Rust, Swift, Objective-C. Smart contract languages (Solidity, Vyper, Move, Cairo) are covered in our dedicated Smart Contract Audit. Other languages on request — we maintain language-specialist subcontractor relationships.

How long does code review take?

Single module (≤10,000 LOC, 1 language): 3-5 working days. Full application (10,000-50,000 LOC, 2-3 languages): 7-12 days. Enterprise polyglot (50,000+ LOC, microservice mesh, ASVS L3): 12-20+ days. Test duration is determined during scoping based on lines of code and complexity.

How much does secure code review cost in the UK?

Focused module £3,500-£8,000. Application (most commonly commissioned) £8,000-£20,000. Enterprise / microservice £20,000+. UK day rates for CREST + language-specialist consultants are £1,200-£2,000 per day.

What SAST tools do you use?

We tool-up based on language. Semgrep + CodeQL for breadth across most languages. Language-specific: SpotBugs / Find Security Bugs for Java; Bandit for Python; ESLint security plugins for JavaScript; Brakeman for Ruby; gosec for Go. We integrate with your existing tools (SonarQube, Snyk, Checkmarx, Veracode) where deployed.

Will you provide example patch code?

Yes. Every finding ships with example patch code in your language. We don’t just say “use parameterised queries” — we show exactly what the parameterised query should look like in the framework you’re using. Engineers fix faster, your team has reference material.

Can you align to OWASP ASVS L1/L2/L3?

Yes. ASVS verification level is agreed during scoping. L1 (basic) covers automated scanning. L2 (standard) is the typical commercial baseline. L3 (advanced) is for high-assurance applications. Each finding pre-mapped to specific ASVS verification IDs.

Do you review supply chain (dependencies)?

Yes. Dependency / supply-chain review is included. We audit npm / pip / Maven / NuGet / Cargo dependencies for known vulnerabilities (CVE matching), suspicious packages, abandoned maintainers, typosquats, and dependency-confusion risk. Particularly important post-CrowdStrike supply-chain incidents.

Do you do remediation validation (retest)?

Yes. Free retest within 30 days of report delivery. Both automated (SAST re-run) and manual review of remediated code. No additional engagement fee.

Are your reviewers UK-based and what experience do they have?

UK-based and international language-specialist consultants. Relevant background: production application development experience in their specialist language, plus security certifications (CREST CRT, OSWE for web languages, OSCP). Many also have OWASP project contributor backgrounds.

Do you sign NDAs?

Yes. Standard NDA before any source-code access. We operate under a project-specific master agreement that includes source-code IP protection, post-engagement code destruction, and embargo periods for findings.

READY TO SCOPE

Book a Code Review Scoping Call

30 minutes with a CREST + language-specialist consultant. Fixed-price quote within 24 hours. No sales pipeline.

EJN Labs

EJN Labs

We are an CREST certified, AI led threat research and cyber security services company based in Canary Wharf, London, UK. Schedule a call to find out more!

Company

Services

Contact Us

Location
  • 44-45 Beaufort Court Admirals Way London E14 9XL
Phone
  • 02045771740
Email
Office hours
  • Monday – Friday : 8:00 AM – 5:00 PM
Scroll to Top