8grams8grams.
BlogCasesEbook
ENID
Start a Project
ENID
Start a Project
8grams8grams.

AI-powered software studio taking your web apps, mobile apps, and cloud infrastructure from idea to production.

Get in touch

  • [email protected]
  • WhatsAppWhatsApp: +62 811-3143-975
Read 8grams on MediumLike 8grams on FacebookFollow 8grams on InstagramFollow 8grams on LinkedInFollow 8grams on X

Pages

  • Cloud Migration
  • Cost Optimization
  • Cybersecurity
  • Kubernetes Migration
  • Cloud Cost
  • Kubernetes Ops
  • CI/CD Pipeline
  • Cases
  • Blog
  • Contact

Services

  • DevOps & Cloud Infrastructure

    Reliable, scalable infrastructure engineered for growth.

  • Web Application Development

    Custom web apps built for real business outcomes.

  • Mobile App Development

    iOS and Android apps users actually want to use.

  • Web Company Profile

    Fast, search-friendly company sites with measured SEO, GEO, and AEO.

  • Cybersecurity

    Find and fix security issues before they become incidents.

Start a Project

We reply within one business day.

© 2026 8grams Technology. Surabaya, Indonesia.

Built for teams with something to ship.

Chat with us
Web Development/Security Engineering
Security Engineering

OWASP-hardened before it ships.

Most breaches come down to preventable mistakes such as injection, broken authentication, or a misconfigured secret. Those are closed off while your app is being designed and built, not in an audit after launch. Your application is penetration tested before a single real user touches it.

  • OWASP Top 10 dealt with at the architecture and code level
  • Secrets kept in environment vaults, never in the code or the logs
  • Dependency vulnerability scanning in CI on every pull request
  • A penetration test run before every production go-live
Get a quoteWhy this matters

Security tools your team can keep running after we leave.

SnykSonarQubeHashiCorp VaultOWASPGitHub ActionsDocker
Why

Security bolted on at the end costs ten times more.

A vulnerability that reaches production is far more expensive to fix than one caught in code review. The OWASP Top 10, things like SQL injection, XSS, and broken authentication, has barely changed in years. There's no good reason to still be shipping them.

Security review only happens after launch

The app goes live. Three months later the security team finally schedules a review and finds SQL injection in the search field and secrets sitting in the git history. Now you're fixing it all under pressure.

Secrets in .env files that no one rotates

The database password lives in a .env file that's been copied to production, to staging, and onto three developer laptops. Nobody can say when it was last rotated or who still has a copy.

Dependencies that nobody is auditing

npm audit reports 47 vulnerabilities, and they've been sitting there for six months. Nobody has the time to work out which are real risks and which are noise, so nothing gets touched.

Compliance requirements that show up after the build

A new enterprise client wants ISO 27001 evidence. The penetration test was never done and the audit trail doesn't exist, so the deal is suddenly in jeopardy.

The Process

How the work actually runs.

Each step has a clear deliverable and a written handoff, and we get your sign-off before moving to the next one.

01

Threat modelling

While the app is still being designed, we map the data flows, trust boundaries, authentication points, and third-party integrations. The threats get written down and the mitigations agreed before any code exists.

02

Secure coding standards

OWASP practices applied at the code level: parameterised queries, output encoding, sound auth patterns, careful session management, and input validation on every entry point.

03

Secrets and configuration management

Secrets live in environment vaults such as HashiCorp Vault or AWS Secrets Manager. No credentials sit in the code or in the logs, and the rotation procedure is documented.

04

Security in CI

SAST with Semgrep or CodeQL runs on every pull request. Dependency scanning through Snyk or Dependabot flags new CVEs, and container images are scanned before they reach any environment.

05

A penetration test before launch

A full penetration test before any real users get near the app. We address the findings, re-test, and hand you the report to keep.

The Result

What you walk away with.

Real deliverables you can point to and outcomes you can measure. Not a slide deck.

0OWASP Top 10 open

Every critical vulnerability closed before go-live

The OWASP Top 10 is the minimum bar. Nothing we build ships with an open critical or high finding.

Pre-launchpen test included

Tested by an attacker before a real one finds the gap

Every application we build is penetration tested before launch, and the report is part of the engagement rather than an add-on.

CI-enforceddependency scans

New CVEs caught before they merge

Dependency scanning runs on every pull request, so your team hears about a new vulnerability before it reaches production.

An audit trail enterprise buyers will accept

Threat models, pentest reports, SAST scan history, and secrets management documentation: the evidence package that ISO 27001 auditors and enterprise procurement teams ask for.

FAQ

Common questions.

Is the penetration test done by your team or a third party?

By our own security team. They're certified penetration testers, holding OSCP and CEH, and they test every web application we build before go-live. If you need an independent third-party test for compliance, we can point you to one, but we still run our own test first.

What's in the penetration test report?

An executive summary, CVSS-scored findings with evidence and steps to reproduce them, guidance on how to fix each one, and a re-test once you've addressed them. It's a proper report, not raw scanner output.

Can you add security practices to an app you didn't build?

Yes. Auditing and hardening a codebase we inherit is common work for us. We rank the issues by risk and fix them a step at a time, starting with the most severe.

How do you address the OWASP Top 10 specifically?

We map each OWASP Top 10 category to a concrete control: parameterised queries for injection, sound session and token handling for broken authentication, output encoding for XSS, access checks for broken access control, and so on. The mitigations are agreed during threat modelling and verified again in the penetration test.

How do you handle authentication and authorisation?

We use proven patterns rather than rolling our own: secure password hashing, short-lived tokens with refresh, optional multi-factor authentication, and per-resource authorisation checks on the server. Authorisation is enforced on the backend, never assumed from the UI hiding a button.

How is sensitive data protected at rest and in transit?

Data in transit is protected with TLS everywhere, and sensitive data at rest is encrypted in the database. Secrets live in an environment vault rather than the code, and we minimise what personal data is stored and logged in the first place.

Is a penetration test included, and who runs it?

Yes, a full penetration test before go-live is part of every build, run by our own certified testers (OSCP and CEH). We fix the findings, re-test, and hand you a CVSS-scored report you can keep for compliance or share with an enterprise buyer.

How do you keep dependencies and CVEs under control?

Dependency scanning through Snyk or Dependabot runs on every pull request, so new CVEs are flagged before they merge. We triage real risks from noise and keep critical libraries patched, rather than letting an npm audit backlog pile up unread.

What security artefacts do we get at handover?

You receive the threat model, the penetration test report with re-test results, the SAST and dependency scan history, and the documented secrets and rotation procedures. Together these form the evidence package that ISO 27001 auditors and enterprise procurement teams ask for.

Can you help us meet compliance requirements like ISO 27001 or SOC 2?

We can't certify you, but we build the technical controls and produce the evidence those frameworks expect: access controls, audit trails, encryption, secrets management, and tested incident handling. That makes the eventual audit far smoother because the groundwork is already in place.

Contact Us

Have a project in mind? Let's build it.

Tell us where the project stands right now. Within one working day we'll come back with a straight read on scope, timeline, and cost. There's no commitment in asking.

Email

[email protected]

Office

Surabaya, Indonesia

Starting price

From USD 4,000

Typical projects: USD 4,000–25,000

Tell us about your project

We'll reply within one business day, and we won't put you through a sales pitch.

Prefer to chat? WhatsApp us