Stephen Rees-Carter / Valorin Security
Let me introduce myself, I’m Stephen Rees-Carter, and I specialise in security audits and penetration testing for Laravel apps. I’ve been building and hacking Laravel apps since 2013, so I know how to help you secure your sites, and I’m excited to work with you! As a Laravel specialist, I know and understand how Laravel works, so I can focus on the areas that really matter and the unique challenges we can face in our apps. I can also answer any of your security questions and help you with securely designing different parts of your apps.
I’ve worked as a Senior Developer for many years on a wide range of apps, both large and small, so I know the challenges faced to keep everything secure while still providing all of the features required. I hold a CompTIA Security+ Certification and am a Certified Ethical Hacker. My focus for the past 6 years has been on teaching developers how to write secure code, through my talks, Laravel Security in Depth, and working directly with companies to audit and test their apps.
I'm the creator of Laravel Security in Depth
and you may have seen one of my Laracon talks
- I'm usually the one at the end giving everyone nightmares about why security is critical and how easy it is to hack into insecure apps!
Please reach out and we can discuss what you’re looking for!How My Laravel Security Audits Work
The way I work is a bit different from most pen tests that I’ve come across. Rather than simply point an automated scanner at your site and pass through the generated report, I take the time to read through and understand your code – looking for weaknesses and security anti-patterns (based on my extensive experience as a senior Laravel developer). I then take this knowledge and apply it to a penetration test of the app, trying to exploit any identified weaknesses, as well as perform other scans and security checks. I make it a policy to not touch production beyond passive unauthenticated scans, to ensure I don’t see or modify any of your customer’s data, and will run my penetration test against a staging/testing environment.
During the audit, we can connect via Slack, or a different communication tool of your choice. Rather than just give you a report at the end, I like to keep an open dialog during the process, updating you on my findings along the way. This gives you the opportunity to ask any questions you may have, as well as discuss and resolve any issues while I am directly available. I’m happy to explain my findings in depth, and help you work through possible fixes.
After the audit is complete, I’m happy to answer any questions or clarify any of the findings. If you’d like me come back and review your changes and fixes for the issues discovered during the audit, we can figure out a timeframe and pricing once we have any idea of might be required. Likewise, if you need any direct help resolving any issues found.
For further developer education, I also offer developer workshops based around my hacking talks, where I teach developers how to think like hackers, identify security issues in their apps, and write more secure code.
I look forward to working with you! 🙂That Sounds Great, How Do We Get Started?
The first step is to reach out and let me know you’re interested, and we’ll go from there.
Based on the way I work, knowing the size and structure of the app is important to work out how long I will need for the audit. These are the main points that I need to know to get started:
- Number of routes, controllers, commands, and models?
- Infrastructure/hosting environment?
- Front end framework/tooling?
- Monolith or microservices (and how many)?
- What areas you’re interested in having audited? (i.e. just the code, code and infrastructure, multiple apps, etc)
Once I’ve got an idea of the size of your app, I’ll let you know an estimated timeframe and price, and we can go from there. The more info you can provide, the better an idea I’ll have for what will be involved. Also let me know if you’ve got any specific budgetary and/or timeframe requirements.What Makes My Security Audits Unique
My methodology involves reviewing the code first, looking for potential vulnerabilities and weak points that could be exploited or improved. I then use what I learn from the code review to try and compromise the app, attacking the weak points, as well as checking other common areas and security features.
I use my knowledge of Laravel and many years of experience as a senior developer to look for weaknesses that will easily be missed by automated scanners and penetration testers who just check the common stuff. I can also work with you to fix any issues, and advise on specific code changes. Most pentests will simply give you a report, a leave you to figure it out how to fix them on your own.
A lot of penetration testers will simply throw an automated security scanner at your app, rebrand the results, run a few more generic tests, and then send you report filled with false positives. They have no understanding of how Laravel apps work, and don’t take into account the unique security features and design choices that go into building one.For more information about my audits, including testimonials from past clients, check out my website.