Assuming I just wanted to get a quick one day check of things, and not a thorough security review, this is what I would look at:
There are free SAST and DAST tools available that could be useful to get a baseline done pretty quickly. For example the OWASP ZAP project.
I would think about logging, alerting, and other APM stuff. If they don't know what kind of errors and issues are happening then they probably couldn't detect a hack. If they are logging things, then what are they paying attention to?
Next up would be dependency management and other general coding practices. Is there a code review process, are there quality gates? How are defects resolved? How (if ever) do they update dependencies?
I would look at application boundaries. Where does data enter and leave the application? Is it sanitized and encoded? What is the overall risk exposure of the application e.g. if someone nefarious got access could they affect other apps/systems at the company? How much attack surface is there?.
Finally I would take a quick look at authentication and authorization. Are the APIs open to the public? How do they handle user logins. Time wise it would take a lot of effort to review this (and I just don't have the skill to do so).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Assuming I just wanted to get a quick one day check of things, and not a thorough security review, this is what I would look at:
There are free SAST and DAST tools available that could be useful to get a baseline done pretty quickly. For example the OWASP ZAP project.
I would think about logging, alerting, and other APM stuff. If they don't know what kind of errors and issues are happening then they probably couldn't detect a hack. If they are logging things, then what are they paying attention to?
Next up would be dependency management and other general coding practices. Is there a code review process, are there quality gates? How are defects resolved? How (if ever) do they update dependencies?
I would look at application boundaries. Where does data enter and leave the application? Is it sanitized and encoded? What is the overall risk exposure of the application e.g. if someone nefarious got access could they affect other apps/systems at the company? How much attack surface is there?.
Finally I would take a quick look at authentication and authorization. Are the APIs open to the public? How do they handle user logins. Time wise it would take a lot of effort to review this (and I just don't have the skill to do so).