Validating Code Refactoring for a Secure Production Release

Addressing Risks in AI-Assisted  Development

Perusall’s engineering team was rewriting an extensive, ten-year-old system into a modern architecture. Rapid development and AI-assisted workflows helped accelerate delivery, but also introduced an element of uncertainty that Perusall wanted to address:

• Unknown gaps in AI-assisted development
• Potentially missing opportunities for improvement over the legacy application
• Time and resource constraints could lead to unknown risks

Perusall needed a partner who could:

• Validate the comprehensive security of a large codebase, rewritten by AI-assisted engineers
• Identify potential architecture issues before production
• Offer guidance and support throughout remediation
• Move at the same pace as their engineering team
  
  

Compliance requirements didn’t drive the Perusall team. They were driven by a responsibility to deliver a secure platform, protect user data, and move into production with confidence.

How Secure Code Review Validated Their New Codebase

Software Secured's code-review-driven approach includes accurate line-level inspection across critical security domains, including authorization, database access, configuration files, and sensitive data handling. 

By reviewing the source directly, testers can identify vulnerability patterns and then quickly uncover additional instances across the codebase. This capability is far beyond what black-box or gray-box testing can achieve. 

The hybrid approach of combining source code analysis with validation against a running instance delivered accuracy, repeatability, and richer insight into how Perusall's application behaved in practice. It enabled the development team to streamline later phases of their multi-stage rewrite and ensure consistency throughout the transition to their new architecture.

The Engagement Included:

1. Manual and automated secure code review
2. Confirming findings against a running instance when available
3. Actionable reporting, including detailed vulnerability descriptions, evidence, and remediation guidance
4. Leveraging the Software Secured Portal to streamline remediation and tracking
5. The ability to import the findings into Linear using Portal’s CSV export/import functionality
   
   

How Perusall Accelerated Remediation with Portal

Perusall described Portal, the Software Secured Pentest Management Platform, as 

“perfect for our workflow.”

Portal allowed the team to:

• Track each finding with full metadata, severity, proofs, and evidence
• Share the code base securely
• Submit retest requests quickly
• Accept risk for select issues
• Review historical analytics
• Manage vulnerability progress from start to finish
• Download the report and certificate easily.

A Stronger Security Posture

Software Secured’s Secure Code Review provides deeper insights into an application than penetration testing. This enables faster detection of critical issues such as cryptography and authentication logic, if present. 

Given their ambitious development goals and engineering processes, code review offered the highest value to Perusall. It would validate all their new code–AI-influenced or not– thereby giving their engineering team the confidence to move toward production.

A Stronger Codebase, Built on Certainty

The review validated Perusall’s architectural choices and confirmed that the new codebase, was secure and production-ready. Even mentioning that the code review would help them:

"Gain confidence that we're not introducing vulnerabilities or missing opportunities for better security."

The code review helped Perusall:

• Continue moving fast without losing sight of security
• Gain more confidence that their software and client data  are secure
• Use the uncovered findings to influence their baseline for secure coding  practices

Software Secured helped Perusall build securely and improve code quality  during the development lifecycle, and strengthen their security posture before going live. The review provided the clarity Perusall needed to reduce the risk of emergency fixes after launch. They are now moving forward with a more intentional, future-ready approach to software development.

Measured Results Coming From Secure Code Review

“The review provided the external assurance the team needed before shipping such a major rewrite. It validated that the new codebase was sound and ready for production.” - Brian Lukoff - CTO

Perusall emerged from the engagement with:

1.  A validated, production-ready codebase
   • Software Secured’s review confirmed that Perusall’s codebase–rewritten by AI-assisted, experienced engineers–was structurally sound and ready for deployment. Critical risks were identified and remediated before launch, and the engineering team gained confidence that the new platform was secure at the foundation.
2. Greater visibility into security risks
   • Perusall gained a much clearer understanding of where vulnerabilities existed and why they could cause problems. Issues surfaced early, allowing the team to address problems rather than symptoms.
3. A more secure development process moving forward
   • The engagement helped Perusall evolve how they build software. The findings influenced coding practices, testing processes, and architecture decisions. The team is able to anticipate risks early, review AI-generated code critically, and approach future development with intentionality.
4. Faster remediation with Portal
   • Portal centralized findings, metadata, proofs, and retest cycles into one workflow, allowing Perusall to verify fixes quickly. With CSV export/import for Linear and up to three retests within a 90-day window, the team accelerated their path to readiness. In fact, our collaboration allowed Perusall to evaluate and address all findings in under 30 days.
5. Higher confidence going into their launch date
   • Validating the rewritten codebase, uncovering potential issues, and receiving quick support during remediation gave the engineering team the confidence they needed.

“The experience validated how we think about security during development. We now have confidence that the purposeful adoption of AI in our workflows has not impacted our ability to ship secure code.” - Brian Reeve - Principal Engineer

‍