Ugh.. what a scary feeling. To have your client engage the services of a 3rd party security firm and submit your code over for a code review to see if your code is secure or not.
No offence to those guys, but I guess I'm uneasy for letting someone who's bonus is dictated by how many flaws they find in my code have free reign over it. What would I have to do? Explain in detail why I did all my little hacks, the shortcuts, promise that no external code ever ever ever will run in the component (Just remember.. promising that your code works well is NOT a solution).
I guess the thing that I'm most worried about is, different programmers have different styles and methods of solving a problem. But what if those guys feel that theirs is the best way and then get the client to pressure me to confirm even though my way is just a secure and efficient as theirs?
This is going to be an interesting experience.