Web & Api Penetration Testing (Owasp Web & Api) – Multi-tenant Saas Platform enterprise client

We are looking for an experienced Application Security / Penetration Testing specialist to perform a manual security assessment (pentest) of a multi-tenant SaaS platform, including both the web application and REST APIs.

The objective of this engagement is to identify real-world vulnerabilities, assess risk severity, and validate existing security controls, following OWASP Web Top 10 and owasp api security top 10 methodologies. This engagement requires manual testing; automated scans alone are not sufficient.

The scope of work includes manual web application pentesting and manual rest api pentesting, with specific focus on authentication and authorization mechanisms, jwt implementation including signing, expiration, validation and tenant binding, multi-tenant access control scenarios such as bola and bfla, file upload handling, secrets and configuration management, and rate limiting and anti-abuse controls. The assessment should also validate potential cross-tenant attack scenarios.

Expected deliverables include a detailed technical report describing identified vulnerabilities, severity classification (Critical, High, Medium, Low), technical descriptions with associated risks, redacted evidence without sensitive data, and clear remediation recommendations. An executive summary is also required. A re-test after remediation may be requested and should be quoted separately.

Candidates should demonstrate proven experience in web application and rest api pentesting, strong knowledge of owasp web and owasp api methodologies, and a solid understanding of saas and multi-tenant architectures. Experience with JWT-based authentication and authorization is required. Security certifications such as oscp, oswe, ceh, ejpt or similar are valued but not mandatory.

The work will be performed remotely, with access to a staging or controlled testing environment. Estimated duration is one to two weeks, depending on the proposed approach. A Non-Disclosure Agreement will be required. Communication can be in English or Spanish.