Security Consulting
Web application and infrastructure hardening grounded in operational practice.
Overview
How I approach this work
I run my own quarterly security audits across the production systems I operate, then work through and remediate what each one surfaces. Security consulting draws on that operational practice plus the deeper application security work I have done building auth systems for multi-tenant SaaS: __Host- cookies, dual JWT rotation, scrypt hashing, timing-attack mitigation, and security_stamp session invalidation.
Security engagements cover two layers: applications and infrastructure. On the application side I work through the OWASP Top 10 against the actual codebase — authentication and session management, input validation, CSRF and CSP, rate limiting, XSS prevention, and third-party integration review. On the infrastructure side I audit SSH access, firewall rules, fail2ban configuration, TLS posture, secret handling, backup integrity, and incident response posture. The deliverable is a written audit with severity ratings, a remediation plan, and — critically — verification that the fixes actually close the issues. I do not hand over a PDF of findings and walk away. Ongoing, I can set up dependency monitoring and quarterly review cadence so security stays a practice rather than a one-off project.
Deliverables
What a typical engagement produces
Concrete artifacts from this kind of work.
- Written audit
- A written security audit covering applications and infrastructure, with severity ratings, reproduction steps where relevant, and a prioritized remediation plan.
- Hardening changes
- Concrete hardening applied against the real system — security headers, authentication improvements, SSH and firewall tightening, dependency upgrades — with verification that the fixes landed.
- Ongoing review cadence
- A documented process for quarterly security reviews, dependency monitoring, and incident response — so security stays operational instead of one-off.
- Audit cadence
- Quarterly, with remediation
- Application security
- Auth, sessions, OWASP Top 10
- Infrastructure hardening
- SSH, TLS, secrets, backups
Related areas
Other parts of my practice that overlap with this one.
Performance Consulting
Infrastructure and web performance that shows up in the numbers.