Skip to content

Free security review · Confidential & non-binding

How secure is your software, really?

Systems that grew over the years — or doubts whether the last agency did a clean job? We examine your code, dependencies and infrastructure and deliver a prioritised report with concrete vulnerabilities and clear recommendations.

  • Free & non-binding
  • Confidential · NDA on request
  • Reply within 24h on business days
  • In-house from Hamburg
REPORT HC-2026-··· · CONFIDENTIAL
Illustrative example

Outdated library with known vulnerability

Critical
package.json

Publicly documented — exploitable automatically

API key shipped in the JavaScript bundle

Critical
main.js

Readable by any visitor in the browser

Missing authorisation check on endpoint

High
/api/invoice/:id

Other customers' data readable by counting up IDs

● 2 critical ● 1 high · Every finding manually verified — no client data

Who it's for

Two situations where a review pays off immediately

Software that grew over time

Your system has been running for years. Extended, rebuilt, patched under deadline pressure. Nobody has the full picture anymore — and nobody dares touch an update because it's unclear what might break.

  • Dependencies not updated in years
  • The original developers are gone
  • No tests, no clean deployment

The second opinion

An agency or freelancer built it for you. It looks fine — but is it secure, clean and maintainable? We take an independent, factual look: verifiable findings, no rival-agency rhetoric.

  • Invoice paid, but the gut feeling remains
  • No insight into code quality and documentation
  • Unclear whether GDPR was implemented properly

Typical findings

What a report looks like — typical examples

Typical findings of the kind we see again and again — no client data. Recognise something?

HC-···-003Critical
Dependencies

Known vulnerability in an outdated library

"framework": "^2.1.████" // 3 known CVEs, incl. remote code execution

Risk: A publicly documented flaw — exploited automatically, no one has to target you specifically.

Typical in: systems without regular updates

HC-···-007Critical
Authentication

API key shipped in client-side JavaScript

const API_KEY = "sk_live_████████"

Risk: Any visitor can read the key in their browser and use your API at your expense.

Typical in: fast-grown frontends

HC-···-014High
Access control

Missing authorisation check on an endpoint (IDOR)

GET /api/invoice/1042 // never checks who owns the invoice

Risk: Customer A can read customer B's invoices simply by counting up the ID.

Typical in: portals and customer areas

HC-···-031Medium
Maintainability

No tests, no CI — every change is a blind flight

tests/ … empty · deployment: manual via FTP

Risk: Small fixes silently introduce new bugs; further development gets expensive and risky.

Typical in: takeovers from previous vendors

These are four of often dozens of findings. Your prioritised report shows which ones actually matter in your system. How we run software audits

Request your own report

2-minute self-check

Eight honest questions. Your blind spots in plain language.

No sign-up, no data sent to us — the check runs entirely in your browser. "Not sure" is a normal answer and still counts as an open point: what nobody has eyes on, nobody can secure.

Question 1 of 8: Have the libraries and frameworks behind your software been updated in the last 6 months?

Question 1 of 81/8

Have the libraries and frameworks behind your software been updated in the last 6 months?

Risk radar

  • Updates & dependencies
  • Access
  • Backups
  • Offboarding
  • Vendor dependency
  • Monitoring
  • GDPR & data flows
  • Independent review

Scope

What the security review puts under the microscope

Not a superficial scan, but the areas where mid-sized companies' software is most commonly vulnerable in our experience.

01

Code & architecture

Structure, patterns, error handling — obvious weaknesses in the application code.

Manual
02

Dependencies & supply chain

Outdated packages, known vulnerabilities (CVEs), risky licences.

Automated + CVE matching
03

Authentication & access

Sessions, tokens, roles and permissions: who can reach what — and who shouldn't?

Automated + manual
04

Data protection & GDPR

Data flows, storage, logging: where personal data lives and how it is protected.

Manual + scan
05

Infrastructure & deployment

Configuration, secrets, TLS, exposed endpoints, backups and recovery.

Automated + manual
06

Maintainability & operations

Tests, CI/CD, monitoring, technical debt — how safe are future changes?

Manual

Acute findings often turn into ongoing protection — our maintenance & support model takes over afterwards.

Process

From request to report — in four steps

The report is usually ready five to ten business days after we get access. You know at every point what is happening and what we can see.

01

Request & access

Describe your system briefly — a few sentences are enough. We agree on scope and, if you wish, an NDA. Read-only access or a code export is sufficient; you only share what you want to share.

02

Automated analysis

Scans across dependencies, secrets, known vulnerabilities and configuration — broad coverage in little time.

03

Manual review

An experienced developer reads the critical code: authentication, permissions, data flows — exactly where automated scanners are blind.

04

Report & debrief

You receive the prioritised report: every vulnerability with severity, plain-language risk and a recommendation — and we walk through it together in 30 minutes.

Honestly

Why is this free?

Because it pays off for us: some findings are relevant enough that clients commission the fix — often from us. You are not obliged to anything.

The most honest work sample

Instead of slides we show how we think — on your real system. That convinces more than any sales pitch.

The report is yours

You get the full report — with or without a follow-up engagement. Fix it yourself, hand it to your current agency, or shelve it: your call.

No sales pressure

One review, one report, one honest conversation. No subscription, no fine print, no weekly follow-up calls.

Free security review

Request your report

Two or three sentences about your system are enough — URL, tech stack, or simply what it's about. We sort out access afterwards, with an NDA if you wish.

We use your details to reply. Nothing else — no list, no newsletter.

FAQ

Common questions about the free security review

By the numbers

This is hafencity.dev

15+ Experts

Engineers, designers, and strategists working as one practice from our Hamburg HQ.

50+ Clients

Companies across consumer, healthcare, and B2B trust us with their digital products. Long-term partnerships are the default.

97% Recommendation rate

Repeat engagements and references our buyers actually call. Trust compounds when delivery does.

50+ Launches

Custom mobile and web products shipped from concept to maintenance — owned end-to-end by our team.

100% In-house

Strategy, design, and engineering all live at our Hamburg HQ. One team, one project lead, accountable to you from kickoff to launch.

Since 2023

Helping companies ship digital products — and growing alongside the teams we work with.

Next steps

Let's talk about your project

Book a 30-minute discovery call. We'll review your goals, surface unknowns, and outline how we would run the engagement.

Schedule a call

Booking calendar (Cal.com)

This area embeds the external service Cal.com. By loading it you agree that a connection to Cal.com is established and data may be transferred to the USA.

Privacy policy