Revitt Vibe Check

The 50 points.

This page lists everything we check. The report goes further: we score every point Pass / Warning / Fail against your actual code, show the evidence, explain what each finding means for your specific app, and hand you a prioritised fix list. Each check maps to the OWASP Top 10, the OWASP API Security Top 10, the OWASP ASVS, and UK GDPR.

Critical High Medium

Book a Vibe Check ← Back to Vibe Check

Security

This is where things go wrong fastest. A single missing access check or a leaked key can do real damage before you even notice.

Authentication & Access Control

1Authentication is offloaded — passwords aren’t yours to storeOWASP A07Critical
2Session tokens and JWTs expire and are properly invalidatedCWE-613High
3Object-level access is enforced server-side (IDOR)CWE-639Critical
4Function-level authorisation is enforced on the server, not hidden in the UIOWASP API5Critical
5Multi-tenant data isolation — one tenant cannot reach another’s dataOWASP A01Critical
6No privilege escalation between user rolesOWASP A01High

Injection & Input Handling

7SQL queries use parameterised statements, not string concatenationCWE-89Critical
8User-supplied content is encoded before being rendered in HTML (XSS)CWE-79High
9File uploads are validated server-side for type, size, and contentOWASP A03Critical
10URL-fetching features cannot be redirected to internal infrastructure (SSRF)OWASP A10High
11No user input reaches shell commands or system executionCWE-78Critical

Secrets & Configuration

12No secrets committed to the repositoryCWE-798Critical
13Secrets are not bundled into client-side JavaScriptOWASP A02Critical
14Development and production credentials are separated, and production runs with debug offOWASP A05High

API & Business-Logic Abuse

15Rate limiting and resource-consumption controls are in placeOWASP API4High
16Mass assignment is blocked — API inputs cannot overwrite internal fieldsCWE-915Critical
17Business logic resists tampering — price manipulation, sequence abuse, and replayOWASP API6Critical

Web & Cloud Hardening

18HTTPS everywhere with HSTS and security response headersOWASP Secure HeadersHigh
19CORS policy is not wildcardOWASP A05High
20Cloud security basics: least-privilege IAM, no public buckets, metadata endpoint not reachableAWS Well-ArchitectedCritical

Engineering & Ops

The engineering craft behind a system that keeps working: the things a senior engineer checks that rarely make it onto anyone else’s list.

Automated Testing & QA

21Critical paths have automated tests that assert real behaviourOWASP ASVSHigh
22End-to-end tests cover the key user journeysTest PyramidHigh
23Tests run in CI and block merge or deploy on failureOWASP CI/CD Top 10High
24Coverage is meaningful: failure paths tested, no theatre or chronic flakinessOWASP ASVSMedium
25A pre-production verification step exists before real users are affectedTwelve-Factor AppHigh

Containerisation & Reproducibility

26App runs from a Dockerfile or reproducible setup script — no hand-assembled serverDocker securityHigh
27Base images and package dependencies are pinned — no :latest, no floating rangesSLSAHigh
28Dev/prod parity: local and production run the same runtime and share config via env varsTwelve-Factor AppMedium
29A new engineer can bring the full application up locally with one command from the READMETwelve-Factor AppMedium

CI/CD & Deployment

30Production deployments run through a pipeline, not direct server editsOWASP CI/CD Top 10High
31A tested rollback path exists and can be executed in under ten minutesOWASP DevSecOpsHigh
32A staging environment exists and changes are promoted through it before productionOWASP CI/CD Top 10High
33Infrastructure and configuration are defined as code in version controlTwelve-Factor AppMedium

Vendor Lock-in & Portability

34Platform portability: the app can be exported and run without the builderTwelve-Factor AppCritical
35Data and schema ownership: full export in open formats, tested with a restoreICO / UK GDPRCritical
36Account, domain, and repo ownership: the business holds all accessNCSC CloudHigh

Dependencies & Supply Chain

37No known-vulnerable dependencies, and the lockfile is enforced in CIOWASP A06High
38No abandoned packages, and third-party scripts and the build pipeline are integrity-checkedOWASP A08Medium

Observability & Incident Readiness

39Structured logs exist and show what actually happenedOWASP A09High
40Secrets and personal data are never written to logsICO / UK GDPRCritical
41Uptime and error-rate alerting is in place, with a basic incident pathOWASP A09Medium

Data, Migrations & Backups

42Schema constraints and versioned migrations enforce data integrityOWASP A08High
43Money and critical writes use database transactionsOWASP ASVSCritical
44Backups exist and have been tested with an actual restoreOWASP A08Critical

Code Quality & Maintainability

45Errors are handled explicitly and never leak implementation detail to usersCWE-209High
46Business logic is separated from transport, and the app is documented for handoverOWASP ASVSMedium

Performance, Scale & Cost

47N+1 queries, missing indexes, and unbounded list endpointsOWASP API4High
48Cloud spend controls and runaway-cost trapsAWS Well-ArchitectedHigh

Compliance

UK data protection law applies as soon as your first real user touches the app, so these are the basics worth getting right early.

Privacy & Compliance (UK)

49UK GDPR / DPA 2018 compliance basics are in placeICO / UK GDPRHigh
50Cookie and tracking consent meets PECR requirementsICO / PECRHigh

Plus · included with every Vibe Check

AI-Native Readiness

Six extra points that look at whether your app is built to make good use of AI, and whether it is safe to bring AI near your code and data even if the product has no AI in it. We check these because we build and run our own AI products, Intervals Pro and MCPlexer.

A1Operable by agents — a scoped, audited management surface (MCP)Medium
A2AI-assisted support and operations designed in, not bolted onMedium
A3Captures the AI opportunity where it genuinely adds valueMedium
A4AI and agent access to production is scoped, audited, and human-gatedHigh
A5AI features controlled for cost, reliability, and prompt injectionHigh
A6Safe to work on this codebase and data with AI — secrets, PII, scoped accessHigh

What the report actually tells you.

The list shows you what a senior engineer looks for. The Vibe Check goes through it against your own code, tells you what a pass should look like and where you fall short, and gives you a scored report with a prioritised fix list and a call to walk you through it. Three tiers from £249 + VAT.

Book a Vibe Check Send a brief

Revitt Ltd · Company no. 13210870 · VAT GB-371727093 · hi@revitt.co