Skip to main content

Security Consulting

Web application and infrastructure hardening grounded in operational practice.

View portfolioAll areas of work

Overview

How I approach this work

I run my own quarterly security audits across 7 production servers — the most recent one in April 2026 identified 41 issues, which I then worked through and remediated. Security consulting draws on that operational practice plus the deeper application security work I have done building auth systems for multi-tenant SaaS: __Host- cookies, dual JWT rotation, scrypt hashing, timing-attack mitigation, and security_stamp session invalidation.

Security engagements cover two layers: applications and infrastructure. On the application side I work through the OWASP Top 10 against the actual codebase — authentication and session management, input validation, CSRF and CSP, rate limiting, XSS prevention, and third-party integration review. On the infrastructure side I audit SSH access, firewall rules, fail2ban configuration, TLS posture, secret handling, backup integrity, and incident response posture. The deliverable is a written audit with severity ratings, a remediation plan, and — critically — verification that the fixes actually close the issues. I do not hand over a PDF of findings and walk away. Ongoing, I can set up dependency monitoring and quarterly review cadence so security stays a practice rather than a one-off project.

Deliverables

What a typical engagement produces

Concrete artifacts from this kind of work.

Written audit
A written security audit covering applications and infrastructure, with severity ratings, reproduction steps where relevant, and a prioritized remediation plan.
Hardening changes
Concrete hardening applied against the real system — security headers, authentication improvements, SSH and firewall tightening, dependency upgrades — with verification that the fixes landed.
Ongoing review cadence
A documented process for quarterly security reviews, dependency monitoring, and incident response — so security stays operational instead of one-off.
Most recent self-audit
41 issues, April 2026
Production servers operated
7
Years on security engineering
4+

Related areas

Other parts of my practice that overlap with this one.

Performance Consulting

Infrastructure and web performance that shows up in the numbers.

AI Consulting

Practical AI integration, tested in production.