How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Secure Software Development Life Cycle: A Complete Guide

You push a feature on Friday night. Auth works. Payments work. The demo lands well. Then someone notices a mobile client can read records it shouldn’t, because a database policy was written for speed, not for isolation. Nobody meant to ship an exposure. The team just did what fast teams do. Build, test the happy path, release, move on.

That pattern is common in startups, especially with serverless-first stacks. Supabase and Firebase remove a lot of infrastructure pain, but they also make it easy to confuse platform convenience with application security. If a rule is too broad, an RPC is callable when it shouldn’t be, or a secret slips into a client bundle, the problem isn’t theoretical. It’s already in production.

A lot of founders react by assuming they now need enterprise-style security process. Long review cycles. Heavy sign-offs. Dedicated specialists for every release. That usually fails. Fast-moving teams need controls that fit the way they already work.

That’s where the secure software development life cycle matters. Not as bureaucracy, but as a way to stop avoidable mistakes from reaching users. The good version of SSDLC is lightweight, automated, and built into normal delivery. It helps teams catch risky changes in pull requests, validate infrastructure and app configuration before release, and keep checking after deployment when real systems drift.

Teams that are thinking through broader solutions for modern cyber threats usually arrive at the same conclusion. Security can’t sit outside engineering and still keep up.

Introduction From Shipping Fast to Shipping Secure

The old startup slogan was simple. Ship now, fix later. That still works for copy changes and minor UX bugs. It doesn’t work for auth boundaries, data access rules, or public-facing functions that bypass business logic.

Security failures in young products usually don’t come from exotic attacks. They come from ordinary development shortcuts. A permissive policy added during testing never gets tightened. A service role key gets reused in the wrong place. A callable backend function has no real guardrail beyond “the app won’t expose this button”.

Why the old security model breaks

Traditional security programmes were built for slower release cycles. A separate team reviewed architecture, then another team tested before launch, then someone filed a spreadsheet of findings. That model struggles when you deploy many times a day and half your backend is managed by a cloud platform.

Modern teams need a different posture:

Security at commit time: catch risky code and configuration before merge.
Security at build time: inspect dependencies, mobile artefacts, and environment handling.
Security at runtime: verify what the deployed system allows, not what the design doc said it should allow.

Security has to fit inside delivery. If it lives outside the pipeline, developers will route around it.

What changes when you treat security as part of shipping

The practical shift is small but important. Instead of asking “did we do a security review before launch?”, ask “what checks run every time we change something important?”

That question changes behaviour. Teams write clearer requirements for access control. They model risky flows before coding. They scan dependencies by default. They stop relying on manual memory to protect production.

That’s the mindset behind SSDLC. You don’t slow the team down by adding giant process. You make the normal path safer, so developers can still move quickly without gambling on luck.

What Is a Secure Software Development Life Cycle

A secure software development life cycle is the practice of building security into software from the start instead of trying to bolt it on at the end. The easiest way to explain it is with a house.

You wouldn’t build the walls, install the kitchen, hand over the keys, and then decide to pour the foundation. You also wouldn’t wait until move-in day to ask where the locks should go. Security decisions belong in the blueprint, the materials, the inspection, and the maintenance.

Software works the same way.

A comparison drawing illustrating the difference between designing for security versus adding security measures later.

The core idea behind SSDLC

In practice, SSDLC means every development phase includes security work that matches the phase. During planning, you decide what needs protection. During design, you think through abuse cases. During implementation, developers follow secure coding rules. During testing and deployment, automation checks what people missed. During maintenance, the team keeps watching for drift, regressions, and newly disclosed dependency issues.

That sounds obvious, but many teams still treat security as a final gate. That’s where the shift left idea comes in. The point isn’t ideology. It’s efficiency.

IBM’s overview of secure development notes that the shift-left approach helps organisations detect vulnerabilities earlier in design and build phases, which reduces time-to-remediation from weeks to hours and helps avoid release delays caused by late security findings, as described in IBM’s guidance on secure software development life cycle practices.

What shift left actually looks like

For a startup, shift left does not mean every developer becomes a full-time security engineer. It means the team inserts security thinking at moments when changes are still cheap.

A few examples:

Before coding: define who should access which records, and where privileged actions live.
While coding: use peer review to look for auth bypasses, unsafe secret handling, and dangerous assumptions in API exposure.
Before merge: run static analysis, dependency checks, and configuration validation automatically.
Before release: test the built app and deployed environment, not just source files.

Practical rule: if a control depends on someone remembering a checklist item during a busy release, it will eventually fail.

Why SSDLC helps teams move faster

A lot of teams hear “secure software development life cycle” and picture friction. In reality, the friction usually comes from not doing it.

Late-stage security problems are expensive because they spread. A weak permission model can touch the frontend, backend, database policies, tests, and support workflows. Finding that issue after release means rework across the stack. Finding it in design often means rewriting a few assumptions before any code exists.

SSDLC also improves delivery quality in ways founders care about:

Fewer last-minute surprises: build and release cycles stop getting derailed by avoidable findings.
Clearer ownership: developers know which checks belong to coding, review, deployment, and operations.
More trust: enterprise buyers, partners, and users notice when a product handles security like an engineering discipline instead of a scramble.

For serverless-first products, this matters even more. The platform handles infrastructure, but your team still owns access control, exposed functions, dependency choices, mobile client behaviour, and how secrets move through the system. SSDLC gives those responsibilities a repeatable shape.

The Seven Phases of a Modern SSDLC

A modern SSDLC doesn’t need to be heavyweight, but it does need coverage. In the UK, 43% of businesses reported a cyber breach or attack in the previous year, and 25% of incidents were tied to software misconfigurations. The same verified dataset says organisations complying with SSDLC metrics reduced breach risk by 30%, while average UK breach costs reached £10.4 million, according to the cited material linked through the SEI reference provided for UK SSDLC figures.

For a startup, that’s enough reason to stop treating secure development as optional.

Requirements

The goal here is simple. Decide what must be protected before anyone starts shipping.

This phase is where teams usually underspecify security. They write product requirements but skip access assumptions. Then developers improvise. That’s how “admin-only” actions turn into “hidden in the UI” and “private user data” turns into “we’ll lock it down later”.

Use requirements to define:

Data sensitivity: what data is public, internal, customer-private, or highly restricted.
Trust boundaries: what runs in the browser, on mobile, in server functions, and in the database.
Abuse cases: what misuse would hurt customers even if the feature works as designed.

If you build on Supabase or Firebase, you decide whether the database is enforcing access or the app is. Don’t leave that ambiguous.

Design

Design is where you turn security intent into architecture. This is the best point to do lightweight threat modelling.

You don’t need a formal workshop every sprint. A useful design review often fits on one page. Who can call this function? What happens if a user changes an ID in a request? Can a direct database call bypass business logic? Which secrets need to stay server-side?

For teams exploring more automated review patterns, this breakdown of AI-native code security is useful because it reflects how modern engineering teams inspect generated and rapidly changing code without pretending every issue should be caught manually.

If your design assumes “nobody will call this directly”, redesign it. Attackers and curious users always call things directly.

A practical reference point is Microsoft’s lifecycle framing. If you want a grounded description of how a mature programme maps security into development stages, this summary of the Microsoft Secure Development Lifecycle is a good operational read.

Development

Controls meet habits. Developers need guardrails that run automatically and reviews that focus on the right risks.

The important checks in development are usually:

Static analysis: catch insecure patterns in code before they become test failures.
Dependency scanning: identify risky packages and vulnerable transitive components.
Secret detection: stop hardcoded credentials and tokens entering repositories or artefacts.
Configuration review: validate database rules, auth settings, storage access, and API exposure.

For serverless teams, development security often needs one more category. Policy review. A syntactically valid policy can still be unsafe. A cloud rule can compile and still expose customer data.

Testing

Testing should prove security behaviour, not just confirm that endpoints return expected responses.

A useful test stack combines different methods:

| Phase | Key Security Activity | Example Tool Type | |---|---|---| | Requirements | Define data classification and access expectations | Security checklist | | Design | Threat modelling and trust boundary review | Architecture review template | | Development | Secure coding, secret detection, dependency checks | SAST, SCA, secret scanner | | Testing | Validate runtime behaviour and abuse cases | DAST, fuzzing, integration tests | | Deployment | Enforce release gates and environment validation | CI policy checks, config scanner | | Maintenance | Monitor drift, regressions, and new exposures | Alerting, scheduled scans | | Decommissioning | Remove access, data, and forgotten integrations | Offboarding checklist |

Testing should include:

Auth and authorisation tests: verify users can only read and write what they should.
Negative-path tests: confirm direct requests fail when the UI would normally block them.
Dynamic analysis: inspect the running app, not just the repo.
Fuzzing where it matters: especially for APIs, policies, and functions that sit near sensitive data.

Many teams test features and assume security follows. It doesn’t. A green functional test suite can still hide a wide-open data access path.

Deployment

Deployment is where teams decide what blocks release and what only creates a warning. That distinction matters.

If every security alert breaks production, developers will eventually disable the checks. If nothing blocks release, the pipeline becomes theatre. The right approach is to gate the issues that create immediate risk and backlog the ones that need human review.

Good deployment controls include:

Build artefact inspection
Environment variable validation
Release rules for high-severity findings
Approval paths for exceptional cases

Maintenance

Most systems become insecure after launch through drift, not through one dramatic mistake.

Dependencies age. Rules change. New features create side effects in old data paths. A mobile update exposes a new endpoint. A database migration weakens an assumption that used to hold. Maintenance means continuing the SSDLC after the launch announcement is over.

That includes regular scans, monitoring, and re-validation of access rules after schema or product changes.

Decommissioning

Teams often forget this phase, then leave behind working credentials, stale admin routes, old mobile builds, abandoned storage buckets, or background jobs nobody owns.

Decommissioning should remove:

Unused service accounts and keys
Legacy endpoints and scheduled tasks
Dormant third-party integrations
Data that no longer has a business reason to exist

This phase rarely gets attention, but it closes off real attack surface.

Integrating Security into Your CI/CD Pipeline

The fastest way to make SSDLC real is to wire it into the pipeline your team already trusts. If developers have to leave their normal workflow to “go do security”, adoption drops fast. If the checks run automatically on pull requests, builds, and releases, the process becomes ordinary engineering.

That matters because the UK’s verified figures show 32% of breaches involved third-party software vulnerabilities, and the same dataset says the UK Government’s 2022 National Cyber Strategy drove a 22% increase in secure development training. It also states that full SSDLC integration can lead to 35% fewer high-severity vulnerabilities and 25% faster remediation, based on the cited Microsoft SDL material at Microsoft security engineering practices.

A diagram illustrating the eight stages of integrating security into a CI/CD development pipeline.

What a practical pipeline looks like

A workable CI/CD security flow usually starts at the pull request.

Commit and pull request Developers push code. The pipeline checks formatting, tests, static analysis, and obvious secret exposure.
Dependency review The build inspects packages and lockfiles for known issues and risky additions. This is one of the easiest checks to automate and one of the easiest to skip when teams are rushing.
Build artefact validation Don’t stop at source code. Inspect what the app produces. For web and mobile projects, that includes client bundles, compiled assets, and config carried into the build.
Security testing in staged environments Once the app runs, dynamic analysis and behaviour-focused tests can validate auth paths, endpoint exposure, and runtime configuration.
Deployment gates Releases should fail for the classes of issues your team agrees are release blockers. Keep this list narrow and serious.
Post-deploy monitoring Production still needs checks. Runtime monitoring, alerting, and scheduled scans catch issues introduced by drift or incomplete remediation.

Fail fast without burning out developers

The point of CI/CD security isn’t to create more red builds. It’s to surface the right issues at the cheapest time to fix them.

A sensible policy looks like this:

Block immediately: exposed secrets, unsafe production config, severe dependency issues, obvious auth bypasses.
Warn but continue: lower-risk code smells, findings that need context, or issues limited to non-production paths.
Escalate for review: anything that looks exploitable but needs human judgement.

That balance is often missing. Security teams over-gate, developers revolt, and the pipeline loses credibility.

Build gates should stop dangerous releases, not every imperfect one.

If your team is still maturing its delivery process, this guide to implementing effective DevOps is helpful because it frames automation as an engineering discipline rather than a tool checklist. For the security side of that equation, a focused read on CI/CD security controls and workflow design maps well to startup pipelines.

Where teams usually get this wrong

The common failure modes are predictable:

They scan source but not artefacts. Secrets and unsafe config often appear in what gets built, not just in what gets committed.
They only test pre-production paths. Runtime behaviour changes under real environment settings.
They treat all findings equally. Developers stop trusting noisy pipelines.
They rely on a single tool. No single scanner understands code, dependencies, policies, mobile builds, and runtime behaviour well enough on its own.

A strong pipeline uses layered checks. Static analysis catches one class of issue. Dependency scanning catches another. Runtime and configuration testing catch what static tools can’t infer.

Securing Supabase and Firebase Applications

Supabase and Firebase let teams ship backend-heavy products with very little operational overhead. That speed is real. So is the risk. The dangerous part isn’t usually the platform itself. It’s the assumptions teams make while using it.

The verified data for UK serverless-first app security is blunt. For developers using these stacks, misconfigurations caused 62% of mobile app breach incidents in the UK in 2025, and 82% of UK startups use serverless stacks. The same source says post-build fuzzing can prove leakages 3x more effectively than relying on upfront threat modelling alone, according to the cited OWASP in SDLC write-up.

A hand-drawn illustration comparing Supabase security and Firebase security using shield icons with stylized letter S and fire symbols.

Where Supabase apps usually slip

The most common Supabase issue is false confidence around Row Level Security. Teams enable RLS, write a few policies, see the app working, and assume access control is solved.

It isn’t. Unsafe patterns often include:

Over-broad read policies: authenticated users can read far more rows than intended.
Write policies tied to user input: updates rely on fields the client controls.
Public or weakly protected RPCs: functions expose sensitive operations outside the intended flow.
Service-role leakage: privileged keys end up in frontend code, scripts, or mobile builds.

A policy can look reasonable in review and still leak data. That’s why testing behaviour matters more than reading syntax alone.

Firebase has different sharp edges

Firebase teams often run into a similar class of problem with different mechanics. Rules start permissive so prototyping can move quickly. Later, the app grows around those rules, and tightening them becomes risky because existing flows depend on broad access.

Typical failure points include:

Database or storage rules that trust the client too much
Weak separation between public and user-scoped documents
Callable functions missing proper auth and role checks
Secrets and config values embedded in mobile or web assets

The cloud provider secures the platform. Your team still secures the app logic.

A managed backend removes infrastructure toil. It does not remove authorisation design.

What actually works in these stacks

The teams that do this well follow a few habits consistently:

Model access at the data layer first: decide what each user type can do before writing frontend logic.
Test direct access paths: assume someone will call the database, storage layer, or function without using your intended UI.
Scan after build, not only before: mobile packages and frontend bundles often reveal problems that source review misses.
Use remediation that developers can apply quickly: SQL fixes, rule changes, and role-check patterns should be concrete.

If you’re building client apps on top of these platforms, it helps to think in terms of exposed surfaces. Database rules, storage rules, callable functions, app bundles, and environment handling all need verification. That’s why cloud-native app security usually needs stack-specific review, not just generic web scanning. A useful reference point is this practical guide to cloud application security for modern app stacks.

A better way to validate serverless security

Threat modelling still matters, but these platforms benefit from one more step. Proving the leakage.

For example, if you suspect a policy allows cross-tenant reads, don’t stop at “this looks unsafe”. Test whether a user can retrieve another tenant’s data. If an RPC seems too open, verify whether a low-privilege caller can execute it successfully. If a mobile build contains secrets or privileged endpoints, treat that as a shipped defect, not a theoretical concern.

That style of validation gives developers something much more useful than a vague warning. It gives them a reproducible issue tied to a real code or configuration fix.

Common SSDLC Pitfalls for Agile Teams

Most agile teams don’t reject security because they dislike it. They reject versions of security that feel disconnected from how they build. The result is a set of familiar excuses that sound practical but create avoidable risk.

The SME angle matters here. Verified UK data says 74% of cyber attacks in 2024-2025 targeted SMEs, while only 28% of SMEs conduct regular vulnerability scans. The same source argues that low-cost, no-setup scanners matter because smaller teams often lack budget and in-house security expertise, according to the cited SME implementation challenges research.

We’re too small to be a target

Small teams often assume attackers only care about large enterprises. In practice, smaller products are attractive because they usually have weaker controls, less monitoring, and fewer people watching for abuse.

The fix isn’t to copy enterprise process. It’s to cover the basics reliably. Scan dependencies, validate auth boundaries, inspect builds for secrets, and test exposed functions and data rules.

The cloud provider handles security

This is half true, which makes it dangerous.

Supabase, Firebase, and cloud platforms handle a lot of infrastructure security. They do not define your authorisation model, decide which functions should be public, or stop your team from shipping unsafe access rules. Shared responsibility is still responsibility.

We can’t afford security specialists

Many startups can’t hire a dedicated application security engineer early on. That’s normal. It also isn’t a reason to skip SSDLC.

What works instead:

Start with automation: use scanners and policy checks that fit into CI/CD.
Write a few hard release rules: no exposed secrets, no known severe dependency issues, no unreviewed auth changes.
Give one engineer clear ownership: not as the “security team”, but as the person keeping the process alive.

Security slows down sprints

Bad security process slows down sprints. Good security process removes expensive rework.

Teams feel this most clearly when a release gets blocked late by something they could have caught during design or at pull request time. If security enters only at the end, it will always feel like interruption. If it sits in the workflow from the start, it feels like quality control.

The startup version of SSDLC should be boring. A few rules, good automation, clear ownership, and no heroics.

We’ll tighten it after product-market fit

That usually means the risky patterns become part of the product’s foundation. Then every later security fix turns into a migration problem.

A better approach is to adopt “minimum viable security”. Not perfect. Not exhaustive. Just enough discipline that today’s shortcuts don’t become tomorrow’s incidents. For most startups, that means access rules, secret handling, dependency hygiene, release gating, and ongoing checks after deployment.

Conclusion Building a Culture of Security

The secure software development life cycle works when it becomes part of how the team ships, not a document that appears before audits. This integration is the essential shift. Security stops being a separate event and becomes part of planning, coding, testing, releasing, and maintaining the product.

For startups and indie builders, that matters because the risk usually hides in ordinary work. A rushed rule change. A function that trusts the client too much. A secret in a build artefact. A dependency no one reviewed. None of those problems require a dramatic breach scenario to be expensive.

The good news is that SSDLC doesn’t require an enterprise security department. It requires consistency. A few design questions before coding. Automated checks in CI/CD. Runtime validation for serverless behaviour. Clear release blockers. Ongoing monitoring after launch.

That’s manageable.

Start small and make it real. Pick one current project. Review the data access model. Add one dependency scan if you don’t already have it. Add one build-time secret check. Test one sensitive path directly, without going through the UI. The point isn’t to “complete” security. The point is to stop shipping blind.

Teams that do that early build something more valuable than a checklist. They build trust, internally and externally. That trust compounds every time they release without introducing a preventable security mess.

If you want a fast baseline for a live project, AuditYour.App gives teams a practical way to scan Supabase, Firebase, mobile apps, and web builds for exposed RLS rules, public RPCs, leaked API keys, hardcoded secrets, and other high-risk misconfigurations. It’s a sensible first step when you need to see what’s exposed before you tighten your secure software development life cycle.