Skip to main content
MemCyber
B2B SaaS Source Code Review North America 2 weeks

Case study

SaaS Compliance Platform

Static review of a Node.js + Postgres compliance product. Surfaced authn primitive misuse, SSRF in import tooling, and dependency confusion risk.

LOC reviewed
~85k Node + SQL
High findings
3
SOC 2 driver
Type I prep
Auth rewrite
Next quarter

Findings summary

3 High 9 Medium 12 total findings

Problem

The brief.

A B2B SaaS company building a compliance product needed a pre-SOC 2 source review. Leadership wanted a senior-led read of the auth surface and integration tooling before the first external auditor pass.

Approach

How we ran it.

Two-week threat-modeled static review. Focused on auth primitives, SSRF surfaces in document import, secret handling, and CI/CD pipeline risk. Semgrep custom rules paired with manual read of the auth layer.

Result

What changed.

Three High findings in SSRF, dependency-confusion exposure on an unclaimed npm scope, and a subtle auth bypass in the SSO handoff. Nine Medium findings in secret rotation and rate-limit hygiene. Client rebuilt auth in the next quarter.

Methodology

What we did.

  • Semgrep custom rules
  • Auth + SSO line-by-line
  • CI/CD + npm scope audit
  • Remediation roadmap delivered

Outcome

Remediation roadmap delivered; client shipped v2 of auth layer within a quarter.

← Previous
Move-based L1 Protocol

Similar stack?

We run targeted assessments against exactly these classes of problem. Named reference available on request.

Request Assessment