Privacy

Security Report — February 2026

Monthly automated security assessment of SpeyBooks infrastructure. Grade: A (97%).

William Murray · 13 February 2026 · 2 min read
SpeyBooks security report for February 2026 showing grade A at 97% with area-by-area results

February 2026 Assessment

Each month, SpeyBooks runs an automated security test harness against live production infrastructure. The harness checks 21 controls across six areas: firewalls, secure configuration, patch management, access control, malware protection, and operations. Every test runs against the real system, not a staging copy.

Grade: A (97%)

All core security controls verified. No action items.

21 tests run: 20 passed, 1 warning.

Firewalls & Network

  • ✓ Security headers present on all domains
  • ⚠ Nginx config has minor issues
  • ✓ Expected ports only, 0 unexpected

Secure Configuration

  • ✓ No sensitive paths exposed
  • ✓ PostgreSQL local-only, strong auth
  • ✓ SSH hardened: key-only, root disabled
  • ✓ TLS 1.2+ only, strong ciphers

Patch Management

  • ✓ Node.js on current LTS
  • ✓ No critical/high vulnerabilities
  • ✓ OS fully patched, auto-updates active
  • ✓ PostgreSQL on latest point release

Access Control

  • ✓ No auth anomalies detected
  • ✓ Fail2ban active with SSH + nginx jails
  • ✓ Rate limiting on all auth endpoints
  • ✓ Row Level Security verified on all tenant tables

Malware Protection

  • ✓ Rootkit scan clean
  • ✓ Only expected services listening

Operations

  • ✓ Backups current
  • ✓ Disk and memory within safe thresholds
  • ✓ S3 sync within threshold
  • ✓ SSL certificates valid

Findings

Nginx config has minor issues — Minor configuration refinement scheduled.

Trend

This is the first automated assessment. Future reports will include month-over-month comparisons.

What We Test

The test harness is open about what it checks. Every control maps to a recognised security baseline:

  • Firewalls & Network — Port exposure, nginx hardening, security headers
  • Secure Configuration — SSH, PostgreSQL, TLS, no sensitive paths exposed
  • Patch Management — OS security patches, runtime versions, dependency audit
  • Access Control — Row Level Security, brute-force protection, rate limiting
  • Malware Protection — Rootkit scanning, expected services only
  • Operations — Backups, SSL certificates, disk/memory headroom, offsite sync

Tests run against live production infrastructure on the 1st of each month. Results are published here within 24 hours.

Next assessment: 1 March 2026

Early access for developers.

SpeyBooks is in soft launch. We're inviting a small group of developers to help shape API-first accounting for the UK.

90-day free trial. Proper double-entry. No tracking.

Start free trial Read the docs