Senior Security Engineer for SaaS

Posted 3 weeks ago

Worldwide

Summary

Overview We’re a B2B SaaS company preparing to pass an enterprise customer’s IT security review. We’ve built a set of enterprise security features (SSO/MFA, tenant isolation, audit logging, GDPR deletion, privileged-access controls, seat/billing enforcement) and backed them with an automated test suite (pgTAP, Vitest, Playwright). Before we put our name on it, we need an independent senior engineer to adversarially validate that the work is actually correct — not just that tests pass, but that the security boundaries genuinely hold and that the test suite proves what it claims to. This is a focused, high-trust engagement under NDA. What you’ll do Independently verify each of our core security boundaries by trying to break them, then report what holds and what doesn’t: Cross-tenant data isolation — confirm a user in Customer A can never read or write Customer B’s data: direct Postgres/PostgREST queries, IDOR against API routes and server actions, SECURITY DEFINER functions, storage object paths and signed URLs. Postgres Row-Level Security (RLS) is the entire tenant boundary, so this is the heart of the job. Auth & session lifecycle — MFA/AAL enforcement, that deactivating a user kills access on the next request even with a still-valid token, and that nothing untrusted can elevate its own role/claims. GDPR data deletion — that account deletion leaves zero residue (DB cascade including join-scoped tables, storage blobs, identity PII), that the proof-of-erasure record is honest, and that a partial failure is safe and retryable. Privileged (super-admin) access — that every read/mutation of customer data is logged or denied, with no unlogged path, and that the CI guard enforcing this actually works. Seat/billing entitlement — that paid capability requires payment and seat caps are enforced (scope confirmed at kickoff; some billing paths may be out of scope). Cross-feature composition — emergent leaks that appear only when SSO × session × MFA × audit × deletion interact, which per-feature tests miss. The distinctive part of this job: we also need you to audit the test suite itself — confirm the pgTAP/Vitest/Playwright tests are real (not “vacuous green” / passing for the wrong reason), that each test would actually fail if the control it guards were broken, and where coverage has gaps versus the documented threat model. We will give you our internal threat model as the coverage checklist; part of your value is finding the attacks it omits. Required skills Deep PostgreSQL / Supabase RLS expertise — you can read and reason about RLS policies, SECURITY DEFINER functions, and grants, and you know how multi-tenant isolation fails in practice. Next.js (App Router) — server actions, route handlers, middleware, server/client boundary. A genuine application security / penetration-testing background: IDOR, broken access control, authz testing, OWASP Top 10, multi-tenant SaaS threat models. Comfortable running a local stack (Supabase + Next.js + a background-job runner) and reading TypeScript + SQL. Experience writing clear, evidence-based security findings (severity, reproduction steps, remediation). Nice to have Prior work supporting SOC 2 / enterprise security questionnaires / vendor security reviews. pgTAP, Vitest, and Playwright experience (you’ll be auditing suites written in all three). Auth/SSO (SAML/OIDC, MFA/AAL) and Stripe billing security experience. Deliverables A written security assessment report: for each boundary above, pass/fail with evidence and reproduction steps. A test-suite integrity verdict: which existing tests are sound, which are vacuous, and the coverage gaps versus the threat model. Severity-ranked findings (Critical→Low) with concrete remediation guidance. A re-test pass after we fix anything you flag. How we’ll work NDA required before any access (private repo, enterprise customer data — no customer or third-party names will be shared publicly). We’ll provide repo access and a runnable environment (local stack and/or a staging instance) plus the threat model and the list of features in scope. Async-friendly; a short kickoff call to align on scope and the crown-jewel priorities.

  • Less than 30 hrs/week
    Hourly
  • 1-3 months
    Duration
  • Expert
    Experience Level
  • $70.00

    -

    $120.00

    Hourly
  • Remote Job
  • Ongoing project
    Project Type
Skills and Expertise
Mandatory skills
Network Security
Penetration Testing
Nice-to-have skills
Security Analysis
Automated Testing
Activity on this job
  • Proposals:20 to 50
  • Last viewed by client:last week
  • Interviewing:
    6
  • Invites sent:
    2
  • Unanswered invites:
    0
About the client
Member since Apr 13, 2022
  • United States
    Chino Hills3:32 AM
  • $7.4K total spent
    12 hires, 1 active
  • 123 hours

Explore similar jobs on Upwork

UK Cybersecurity Sales ProfessionalHourly‐ Posted 2 weeks ago
Sales
Phone Communication
Telemarketing
Cold Calling
Help with cyber security photoshopHourly‐ Posted 9 months ago
Penetration Testing
System Security
Cybersecurity Management
Vulnerability Assessment
Security Assessment & Testing
Network Penetration Testing
Testing
Software Testing
Ethical Hacking
Threat Detection

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo