Senior Security Engineer for SaaS
Worldwide
Overview We’re a B2B SaaS company preparing to pass an enterprise customer’s IT security review. We’ve built a set of enterprise security features (SSO/MFA, tenant isolation, audit logging, GDPR deletion, privileged-access controls, seat/billing enforcement) and backed them with an automated test suite (pgTAP, Vitest, Playwright). Before we put our name on it, we need an independent senior engineer to adversarially validate that the work is actually correct — not just that tests pass, but that the security boundaries genuinely hold and that the test suite proves what it claims to. This is a focused, high-trust engagement under NDA. What you’ll do Independently verify each of our core security boundaries by trying to break them, then report what holds and what doesn’t: Cross-tenant data isolation — confirm a user in Customer A can never read or write Customer B’s data: direct Postgres/PostgREST queries, IDOR against API routes and server actions, SECURITY DEFINER functions, storage object paths and signed URLs. Postgres Row-Level Security (RLS) is the entire tenant boundary, so this is the heart of the job. Auth & session lifecycle — MFA/AAL enforcement, that deactivating a user kills access on the next request even with a still-valid token, and that nothing untrusted can elevate its own role/claims. GDPR data deletion — that account deletion leaves zero residue (DB cascade including join-scoped tables, storage blobs, identity PII), that the proof-of-erasure record is honest, and that a partial failure is safe and retryable. Privileged (super-admin) access — that every read/mutation of customer data is logged or denied, with no unlogged path, and that the CI guard enforcing this actually works. Seat/billing entitlement — that paid capability requires payment and seat caps are enforced (scope confirmed at kickoff; some billing paths may be out of scope). Cross-feature composition — emergent leaks that appear only when SSO × session × MFA × audit × deletion interact, which per-feature tests miss. The distinctive part of this job: we also need you to audit the test suite itself — confirm the pgTAP/Vitest/Playwright tests are real (not “vacuous green” / passing for the wrong reason), that each test would actually fail if the control it guards were broken, and where coverage has gaps versus the documented threat model. We will give you our internal threat model as the coverage checklist; part of your value is finding the attacks it omits. Required skills Deep PostgreSQL / Supabase RLS expertise — you can read and reason about RLS policies, SECURITY DEFINER functions, and grants, and you know how multi-tenant isolation fails in practice. Next.js (App Router) — server actions, route handlers, middleware, server/client boundary. A genuine application security / penetration-testing background: IDOR, broken access control, authz testing, OWASP Top 10, multi-tenant SaaS threat models. Comfortable running a local stack (Supabase + Next.js + a background-job runner) and reading TypeScript + SQL. Experience writing clear, evidence-based security findings (severity, reproduction steps, remediation). Nice to have Prior work supporting SOC 2 / enterprise security questionnaires / vendor security reviews. pgTAP, Vitest, and Playwright experience (you’ll be auditing suites written in all three). Auth/SSO (SAML/OIDC, MFA/AAL) and Stripe billing security experience. Deliverables A written security assessment report: for each boundary above, pass/fail with evidence and reproduction steps. A test-suite integrity verdict: which existing tests are sound, which are vacuous, and the coverage gaps versus the threat model. Severity-ranked findings (Critical→Low) with concrete remediation guidance. A re-test pass after we fix anything you flag. How we’ll work NDA required before any access (private repo, enterprise customer data — no customer or third-party names will be shared publicly). We’ll provide repo access and a runnable environment (local stack and/or a staging instance) plus the threat model and the list of features in scope. Async-friendly; a short kickoff call to align on scope and the crown-jewel priorities.
- Less than 30 hrs/weekHourly
- 1-3 monthsDuration
- ExpertExperience Level
$70.00
-
$120.00
Hourly- Remote Job
- Ongoing projectProject Type
Skills and Expertise
Activity on this job
- Proposals:20 to 50
- Last viewed by client:last week
- Interviewing:6
- Invites sent:2
- Unanswered invites:0
About the client
- United StatesChino Hills3:32 AM
- $7.4K total spent12 hires, 1 active
- 123 hours
Explore similar jobs on Upwork
How it works
Create your free profileHighlight your skills and experience, show your portfolio, and set your ideal pay rate.
Work the way you wantApply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
Get paid securelyFrom contract to payment, we help you work safely and get paid securely.
About Upwork
- 4.9/5(Average rating of clients by professionals)
- G2 2021#1 freelance platform
- 49,000+Signed contract every week
- $2.3BFreelancers earned on Upwork in 2020
Find the best freelance jobs
Growing your career is as easy as creating a free profile and finding work like this that fits your skills.
Trusted by