A penetration test the week before launch is the worst time to discover your auth model is broken. Teams that pass on the first attempt didn’t get lucky — they treated security as a build requirement, not a final inspection.
Why teams fail the first audit
The findings are remarkably consistent: broken access control, secrets in code or config, missing rate limiting, weak session handling, and unvalidated input. None of these are exotic — they’re the OWASP Top 10, and they’re cheap to prevent and expensive to retrofit.
What we do from day one
- Threat-model early. Before code, we map what an attacker would want and how they’d try to get it.
- Get authorization right. Every endpoint checks “can this user do this to this object” — server-side, every time.
- Automate scanning in CI. SAST, dependency and secret scanning run on every pull request, so issues are caught in minutes, not at audit.
- Manage secrets properly. Nothing sensitive in the repo; everything in a vault with least-privilege access.
- Harden the basics. Rate limiting, input validation, encrypted transport and at-rest, and full audit logging.
The pre-audit checklist
Before any external test we run our own — an internal pentest, a dependency review and an access-control audit — and fix what we find. By the time the official testers arrive, there’s little left to discover. That’s the goal: make the real audit boring.
The takeaway
You don’t pass a pentest by testing harder at the end. You pass it by designing for it from the first commit — threat-modelling, automated scanning, disciplined secrets and access control — so the audit confirms what you already know.
