How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Pen testing applications: pen testing applications for startups

Think of pen testing applications as hiring a "digital locksmith"—a specialist you bring in to check every lock, window, and potential entry point to your app. It’s a controlled, simulated cyber-attack, designed to find and fix security weaknesses before actual attackers get a chance to exploit them. At its core, it's about keeping your users' data safe.

Why Modern Startups Need Application Pen Testing

A cartoon man holds a giant key, accessing a cloud with code symbols, representing digital locksmith services.

For today's startups and indie hackers, application penetration testing isn't just a "nice-to-have" checkbox. It's a genuine survival tool. When you're racing to ship features and grow your user base, security can easily get pushed to the back of the queue. This is a particularly sharp risk for teams building on modern stacks like Supabase and Firebase.

These backend-as-a-service (BaaS) platforms are incredibly powerful, but they completely change the security game. With the traditional server perimeter gone, security now rests almost entirely on how you configure the service. A single misconfigured rule can be the difference between a secure app and a completely exposed user database.

And in the fast-paced world of agile development, it’s frighteningly easy for one of those accidental vulnerabilities to slip into production.

The Trouble With Traditional Testing

The old way of doing things—manual pen testing—just doesn't fit the speed of modern development. It often creates a massive bottleneck for teams that need to move quickly.

First off, it’s slow. Scheduling and completing a manual test can take weeks, sometimes months. It’s also expensive, with costs that are often well out of reach for early-stage companies and solo developers.

This leaves you stuck in a dangerous limbo:

Speed vs. Security: Do you ship that new feature now, or do you halt everything and wait for a security audit?
Cost Barrier: The price tag alone means many apps launch with zero independent security validation.
A Moment in Time: A manual test is just a snapshot. Your app is only secure on the day of the test. The very next code push could introduce a brand-new vulnerability.

This isn't just a theoretical problem. The market data tells a clear story. In the UK, a massive 85% of organisations are now investing more heavily in pentesting services. This isn't a surprise when you realise that 43% of UK businesses have reported a cyber breach or attack in recent years. As you can read on DeepStrike's blog, it's a clear and present danger.

For agile teams, the real question is: how do you keep your modern applications secure without killing your momentum and budget?

Manual vs Automated Pen Testing At a Glance

The choice between traditional methods and modern automation is a critical one for agile teams. Here’s a quick comparison to highlight the key differences.

This table makes it obvious why the old model is breaking. For teams that ship code daily or weekly, an annual, expensive audit just isn't a practical way to manage risk.

This is where modern, automated tools come in. They are built to solve this exact problem, offering a practical way forward.

Tools like AuditYour.App are designed to mimic the investigative process of a human pen tester but deliver the results in minutes, not months. And they do it at a fraction of the cost.

By integrating directly into your development pipeline, these tools provide the continuous assurance you need to build and ship secure products with confidence. For any startup trying to build the future, getting this new approach to vulnerability management in the cloud right isn't just an advantage—it's essential.

Choosing Your Pen Testing Approach

Picking the right method for pen testing applications isn't a one-size-fits-all decision. It’s like figuring out the best way to test a building's security. You wouldn't use the same plan for a high-street shop as you would for a bank vault; each demands a different level of insight and a unique toolkit.

In the world of application security, we generally talk about three core strategies: black-box, white-box, and grey-box testing. Getting to grips with what each one offers is the key to spending your security budget wisely.

Black-Box Testing: The Outsider's View

Imagine you’re a professional safe-cracker hired to break into a vault, but you’re given zero information. No blueprints, no schematics, not even a clue about the manufacturer. All you have is the safe itself. This is the essence of black-box testing.

A tester approaches your application exactly as a real-world attacker would: completely blind. They start with nothing more than a public URL or a mobile app file (an IPA or APK) and begin poking and prodding from the outside. Their goal is to answer one simple question: "What could a determined attacker discover and exploit right now?"

Pros: It’s the most realistic simulation of an external attack and is brilliant at finding low-hanging fruit and obvious, high-impact flaws.
Cons: Because the tester is working blind, they can easily miss deep-seated vulnerabilities hidden within the app's internal logic.

For a startup or any business wanting a quick reality check, a black-box test is a fantastic way to find out if you've left any doors wide open.

White-Box Testing: The Insider's Audit

Now, let's flip the script. This time, you're not just given the safe; you're handed the full set of blueprints, the combination, and the manufacturer's service manual. This is white-box testing.

The tester receives complete, privileged access to your application’s inner workings. We're talking about everything:

Source code
Architecture diagrams
Database schemas
Internal admin credentials

Armed with this "god-mode" perspective, testers perform an exhaustive, line-by-line analysis of your entire system. It’s less about simulating an attack and more about a deep, structural security audit. This is the gold standard for achieving the highest level of assurance, but be warned—this depth comes at a cost in both time and money. If you want to explore this route with experts, it can be helpful to review some of the top penetration testing companies to see what specialised services they offer.

Grey-Box Testing: The Pragmatic Middle Ground

Grey-box testing lands squarely between these two extremes. Let's go back to our safe. This time, you're given a few useful hints—maybe you know the model has a known defect, or you're given a standard employee key. For pen testing applications, this means giving the tester some limited information, like a standard user account.

This is incredibly valuable because it lets the tester see the application from the perspective of a logged-in user. It’s the perfect way to uncover privilege escalation flaws, where a regular user might find a way to access admin functions or see another user’s data.

This approach has become especially relevant as cyber threats grow more sophisticated. In the UK, for example, sector-specific vulnerabilities are a massive concern. Educational institutions have been hit particularly hard—a staggering 91% of universities have suffered a breach. These attacks often exploit the very kinds of flaws in web and mobile apps that grey-box testing is perfectly designed to find.

Many modern automated tools, including AuditYour.App, work on a grey-box model. By combining code analysis with endpoint testing, they get the external perspective of a black-box test along with the internal context of a white-box test. This hybrid method offers a highly efficient and effective approach for today's fast-moving development teams. You can learn more about how this compares to other scanning methods in our SAST vs DAST article.

When you're building with modern tools like Supabase and Firebase, generic security checklists just don't cut it. The attack surface is completely different. Attackers aren't necessarily looking for old-school network flaws; they're hunting for subtle logic errors and misconfigurations that are specific to these powerful backend platforms.

A proper pen test for applications built this way needs a specialist's eye. It’s all about understanding the unique, high-stakes vulnerabilities that can turn your shiny new app into an open book for data thieves. Let's dig into the critical flaws that both seasoned security professionals and smart automated scanners are looking for.

The Dangers of Misconfigured Row Level Security

One of the standout features in Supabase is its use of Row Level Security (RLS). This is a powerful PostgreSQL feature that lets you write rules, or policies, about which specific rows in a database table a user is allowed to see or change. Think of it as a bouncer for your database tables, checking every user's credentials before letting them access any piece of data.

When it's set up correctly, RLS is a rock-solid defence. The problem is, a tiny mistake in the logic of an RLS policy can lead to a complete disaster. A single, poorly written policy might accidentally evaluate to true for every request, which effectively switches off all security for that table. Just like that, your entire user database could be exposed to anyone holding a valid API key.

The real kicker is that these flaws are often completely invisible during normal functional testing. The app will seem to work just fine, but under the hood, it’s quietly leaking sensitive user data on every query. This is where targeted fuzzing—hammering the policies with all sorts of unexpected inputs—is crucial to find and prove a leak.

Exploiting Unprotected Remote Procedure Calls

Another prime target for attackers are Remote Procedure Calls (RPCs), which in this context are custom database functions. You create these functions in your database to handle complex business logic, and you can call them directly from your app's frontend. They are incredibly useful.

But that convenience can backfire if the functions are left unprotected. If an attacker can figure out the name of an unprotected RPC—and sometimes they can be guessed—they can call it directly, completely bypassing any security checks you might have in your application layer.

Just think about the potential damage:

Data Manipulation: An attacker could call a function like delete_user_account without the proper authorisation, wiping out user accounts at will.
Privilege Escalation: A function named grant_admin_privileges could be invoked, instantly promoting a standard user to a super-admin with the keys to the kingdom.
Financial Impact: Imagine an unprotected process_refund function. An attacker could call it repeatedly, draining funds directly from your business.

Because these RPCs live inside the database, they often fly under the radar of traditional security tools, creating a major blind spot for many development teams.

To give you a clearer picture, this table pinpoints some of the most common configuration mistakes we see in these backend-as-a-service platforms and what the fallout can look like.

Vulnerability Hotspots in Supabase and Firebase

As you can see, a small oversight in your backend configuration can quickly spiral into a major security incident.

Hardcoded Secrets in Mobile and Web Apps

It might sound like an old mistake, but we still see hardcoded secrets in applications all the time. This is a huge risk, especially for mobile apps and modern single-page web applications.

When developers embed sensitive information like API keys directly into an IPA (for iOS), APK (for Android), or a frontend JavaScript bundle, they are essentially gift-wrapping the keys to their backend. An attacker can easily decompile a mobile app or just inspect the source code and network traffic of a web app to pull these secrets out.

Once they have your Supabase or Firebase API key, it's game on. They can start hammering your backend, looking for the very same RLS and RPC vulnerabilities we just talked about. This is why any comprehensive security audit has to include a deep dive into the app's compiled and bundled files.

While manual penetration testing is vital for uncovering complex logic flaws, automating parts of this process can make a huge difference. Using a dynamic code analyzer, for example, helps you continuously spot critical issues in your running applications, bridging the gap between development sprints.

Your Step-By-Step Pen Testing Workflow

Proper pen testing for applications isn't a one-and-done deal. It’s a structured, repeatable cycle that combines smart automation with a human expert's intuition. Having a clear workflow means you cover all your bases, moving from broad discovery right down to the technical details of an exploit, which is how you end up with a genuinely secure application.

Think of it as a security investigation. You begin by casting a wide net to gather clues, then you methodically zero in on the precise location and nature of any threats. This approach turns security from a frantic, reactive scramble into a process you can manage and repeat.

This five-step workflow is a practical framework that any team can use, whether you're a lone developer or part of a bigger startup. It's built to be a continuous loop, making it a perfect fit for the fast-paced world of modern, agile development.

Step 1: Reconnaissance and Footprinting

The first phase is all about intelligence gathering. Before you can even think about finding holes, you need to know exactly what you're defending. This means mapping out every single part of your application that's exposed to the internet.

Your goal is to build a complete picture of your attack surface. This includes:

Public URLs and IP Ranges: Finding all your web-facing assets.
Subdomains: Uncovering those forgotten environments like dev.yourapp.com or staging.api.yourapp.com.
API Endpoints: Listing out every function and service your application offers up.
Mobile App Analysis: Decompiling APK or IPA files to hunt for embedded URLs and secrets.

This stage is exactly what an attacker would do first. You're asking, "What does my application actually look like from the outside?" A thorough reconnaissance phase is critical—after all, you can't secure what you don't even know you have.

Step 2: Automated Scanning and Discovery

Once you have your map, it’s time to let the automated tools do their work. This is where you get a massive boost in efficiency. An automated scanner is like having a tireless security team that methodically prods every corner of your app, looking for known vulnerability patterns.

Automated scanning is your first line of defence. It quickly finds the low-hanging fruit and common misconfigurations—the simple mistakes that are responsible for a huge percentage of real-world breaches.

If you’re building on Supabase or Firebase, this is where you’d scan for things like leaky RLS policies, unprotected RPCs, and insecure Firebase rules. A tool like AuditYour.App, for instance, can automatically run logic fuzzing against your RLS policies to find and prove data leaks that would be almost impossible to spot by hand.

The diagram below shows a few of the common vulnerabilities that can be found at this stage.

A diagram illustrating the application vulnerability process flow with steps: RLS leak, RPC exploit, and API key compromise.

This process really highlights how one small oversight, like a badly configured rule, can quickly spiral into a major security incident. What you're left with at the end of this stage is a list of potential weaknesses that now need a closer look.

Step 3: Manual Verification and Analysis

Automation is a game-changer, but it’s not infallible. A scanner might flag an issue that’s actually a false positive, or it could miss a complex flaw that only a human, with an understanding of your business logic, would notice. This is where manual verification is absolutely crucial.

Here, a security professional—or a developer wearing their security hat—digs into the results from the automated scan. The main objective is to confirm that each potential vulnerability is real and to figure out its true impact on the business. You're essentially asking, "Can this flagged issue actually be exploited to cause any real harm?"

Step 4: Safe and Controlled Exploitation

Once you've verified a vulnerability, the next step is to prove its real-world impact. This is done through safe, controlled exploitation. The point isn't to cause damage; it's to provide undeniable proof of the risk.

For example, if you find an RLS leak, a tester might write a quick script to pull a few non-sensitive records, just to prove that unauthorised data access is possible. If an unprotected RPC is found, they could call it with harmless parameters to show it can be run without permission. This proof is what gets you the buy-in you need from the development team to prioritise a fix.

Step 5: Reporting and Remediation

The final step brings everything together. A good penetration test always ends with a clear, actionable report that documents every single finding.

This report needs to include:

A Non-Technical Summary: A high-level overview of the risk for stakeholders.
Detailed Technical Findings: The specifics of each vulnerability, including its severity.
Steps to Reproduce: Clear instructions so your developers can see the issue for themselves.
Actionable Remediation Advice: Real, concrete guidance—like secure code snippets or configuration changes—that developers can use to fix the problem.

Once everything is fixed, the cycle starts over. This continuous loop of testing, fixing, and re-testing is the heart of modern application security, and it's what lets you build and ship new features with confidence.

Integrating Security into Your CI/CD Pipeline

Diagram illustrating a secure software development pipeline from code commit to automated scan, CI/CD, and secure deployment.

Let's be honest: the traditional, once-a-year pen test just doesn't cut it anymore. For teams pushing updates weekly or even daily, security can't be an afterthought. It needs to be woven into the fabric of your development process, not treated as a final, frantic checkpoint before launch. This is the heart of "shifting left"—addressing security much earlier in the cycle.

The most practical way to do this is by plugging automated pen testing for applications directly into your Continuous Integration/Continuous Deployment (CI/CD) pipeline. It’s like having an automated security inspector right on your software factory's assembly line.

Instead of a manual audit discovering flaws in a nearly finished product, you’re catching them automatically as code is written and built. This approach transforms security from a disruptive, periodic headache into a smooth, continuous part of your workflow.

Moving From Yearly Audits to Constant Vigilance

Embedding security scans into your CI/CD setup, whether you're using GitHub Actions, GitLab CI, or another tool, pays off almost immediately. It fosters a state of constant security readiness and fundamentally shifts your team's culture for the better.

The biggest win? You start catching security regressions long before they have a chance to hit production. Imagine a developer accidentally introduces a leaky RLS policy or an RPC function is mistakenly made public. An automated scan, triggered on their pull request, will flag this on the spot. The vulnerability is stopped dead in its tracks.

This also dramatically reduces friction for your developers. Rather than getting a giant, intimidating report weeks after they've mentally moved on to the next task, they get instant, specific feedback on the code they just wrote. This makes fixing the issue faster, easier, and turns it into a valuable learning moment.

How to Configure Automated Scans and Triggers

Getting automated security up and running in your pipeline is more straightforward than you might think. You can set up triggers to run scans based on key development events, making sure security is checked at the moments it matters most.

Here are a few popular trigger points:

On every pull request: This is the gold standard. It ensures no new code gets merged without a security check, acting as a crucial quality gate for your main branch.
On every commit to the main branch: This provides a solid safety net, scanning code the moment it’s integrated to keep your primary codebase clean.
On a nightly schedule: A scheduled scan can perform a much deeper analysis on the entire application, catching anything that might have slipped through the quicker, incremental checks.

The key to making this work is managing the alerts properly to avoid 'alert fatigue'. Modern security tools are built to filter out the noise. They should only present high-confidence findings with clear, actionable advice on how to fix them. This ensures security doesn't become a bottleneck for your team.

Ultimately, this integration allows your team to stop being reactive and start being proactive. By making security an automated, everyday part of how you build software, you can innovate faster and ship new features with the confidence that you aren't introducing new risks. For a deeper dive into these strategies, you might find our guide on improving CI/CD pipeline security helpful.

Practical Steps for Fixing Common Vulnerabilities

A penetration test report is only as good as the fixes that come out of it. Finding a flaw is one thing, but for a developer, the real work starts when you have to translate that security alert into solid, working code. This is where we get our hands dirty and turn those complex findings into straightforward coding tasks.

We're going to dive into the practical side of remediation for some of the most common vulnerabilities we see out in the wild, especially in modern backends like Supabase and Firebase. Think leaky Row Level Security (RLS) policies and dangerously exposed Remote Procedure Calls (RPCs).

Correcting a Leaky RLS Policy

A misconfigured RLS policy is a classic "silent but deadly" vulnerability. It’s so dangerous because your application will often pass all its functional tests, all while quietly leaking sensitive user data to anyone who knows where to look.

Let's say you have a profiles table. The goal is simple: users should only be able to see their own profile. In a rush, a developer might write a policy that looks right but is far too permissive.

Vulnerable 'Before' Snippet

Here’s a common mistake. The policy is trying to check for a user's id, but it isn't actually connecting that id to the specific row in the table. This simple logic error can cause the policy to always evaluate to true for any logged-in user, exposing every single profile.

CREATE POLICY "Users can view their own profile." ON profiles FOR SELECT USING (auth.uid() IS NOT NULL);

This policy does little more than check if a user is logged in. An attacker could then query the profiles table and walk away with everyone's data.

Secure 'After' Snippet

The fix is surprisingly simple. You just need to explicitly tie the authenticated user's ID to the ID of the record they're trying to access. Think of it as a bouncer checking the name on your ID against the name on the guest list.

CREATE POLICY "Users can view their own profile." ON profiles FOR SELECT USING (auth.uid() = id);

By changing the USING clause to (auth.uid() = id), the policy now works as intended. It strictly limits access, letting users see only the row where the id column matches their unique user ID.

This simple, one-line change is the difference between a major data breach and a secure application. Automated tools with AI-assisted findings, like AuditYour.App, can provide these exact developer-friendly SQL snippets, removing the guesswork from remediation.

Securing an Exposed RPC Function

Remote Procedure Calls are incredibly powerful, but they also introduce a significant risk if you leave them unsecured. If an attacker stumbles upon an unprotected function, they can call it directly, completely bypassing your application's front-end logic and security checks.

Imagine you have a function designed to let a user delete their account.

Vulnerable 'Before' Snippet

Without any built-in authorisation, the function is a ticking time bomb.

CREATE OR REPLACE FUNCTION delete_user_account() RETURNS void AS $$ BEGIN -- Logic to delete the user account END; $$ LANGUAGE plpgsql;

An attacker could call this function and start deleting user accounts at will, causing absolute chaos. The solution is to wrap the function's logic with proper authorisation checks and run it with the right permissions.

Secure 'After' Snippet

CREATE OR REPLACE FUNCTION delete_user_account() RETURNS void AS $$ BEGIN IF auth.uid() IS NOT NULL THEN -- Logic to delete the user account for the calling user ELSE RAISE EXCEPTION 'Not authorized'; END IF; END; $$ LANGUAGE plpgsql SECURITY DEFINER;

This updated version now checks that a user is actually authenticated with auth.uid() IS NOT NULL before it even thinks about running the sensitive deletion code.

Adding SECURITY DEFINER is also crucial. It ensures the function runs with the permissions of the user who defined it—typically a high-privileged role—rather than the person calling it. This prevents an attacker from escalating their privileges and turns a gaping vulnerability into a secure, locked-down feature.

Your Application Pen Testing Questions, Answered

If you're building an application, security is probably on your mind. It’s a field filled with jargon, so it's natural to have questions. We hear the same ones come up time and again, especially from founders and development teams trying to move quickly. Let's clear things up.

How Often Should I Pen Test My App?

For a fast-moving company, the old-school annual pen test just doesn't cut it anymore. Think about how much your code changes in a year—or even a week!

The best approach we’ve seen is a hybrid model. This means running continuous, automated scans right inside your CI/CD pipeline. Every time you push a major change, it gets checked. Then, you supplement this constant watchfulness with a deep-dive manual pen test at least once a year, or whenever you roll out a major architectural change. This combination gives you the best of both worlds: immediate feedback on daily changes and the thoroughness of a human expert's review.

Are Automated Scans Enough, or Do I Need a Manual Test?

This is a great question, and the answer isn't "one or the other." They're two different tools for two different jobs.

Automated scanners, like our own AuditYour.App, are fantastic for quickly and affordably finding common misconfigurations, especially in platforms like Supabase and Firebase. They give you a solid security baseline by spotting the low-hanging fruit and high-impact flaws that trip up so many apps.

But for applications with really complex business logic, or if you're bound by strict rules like GDPR, a manual test led by a human expert is essential. They can understand context and nuance in a way a tool simply can't.

Ultimately, the most robust security strategy uses both. Run automated scans constantly for day-to-day security hygiene, and bring in the experts for periodic, in-depth analysis that understands your specific business.

Does My No-Code App Need Pen Testing?

Yes, absolutely. It's a common misconception that no-code means no security worries. While the platform provider (like Bubble or Webflow) secures its own infrastructure, you are entirely responsible for the business logic, user permissions, and data configurations you build on top of it.

A poorly configured database rule or an insecure workflow in a no-code app can expose your data just as easily as a traditional coding bug. Your app's unique logic and setup must be tested, no matter how it was built.

What’s the Typical Cost of an Application Pen Test?

The price can swing wildly. A traditional manual pen test for a single application can start around £4,000 and climb past £25,000. On top of that, it can often take weeks to even get the final report, which is a lifetime for a startup.

Modern, automated platforms have completely changed the game. You can now get one-off scans for just a few hundred pounds or subscribe to continuous monitoring for a predictable monthly fee. The best part? You get results in minutes, not weeks, giving you a clear and immediate return on your investment by helping you fix critical risks right away.

Ready to move from theory to action? AuditYour.App provides instant, developer-friendly security scanning for your Supabase, Firebase, and mobile applications. Get a clear view of your security posture in minutes. Start your scan today!