Senior Web Application Source Code Reviewer (Security)

Project-Based Contract | Remote | Offensive Security Focus

Invadel is looking for an experienced Web Application Source Code Reviewer to perform deep security reviews of modern web applications. This is not a checkbox role. We are looking for someone who can actually find real-world vulnerabilities in source code - especially authorization flaws like IDOR, broken access control, privilege escalation, and multi-tenant isolation issues.

This is project-based contract work. We engage you when projects require deep source-level analysis. Not a full-time salaried role. You must be available when assigned and capable of working independently.

What You’ll Be Doing

• Perform manual source code reviews for web applications (backend & frontend)
• Identify vulnerabilities including:
• IDOR (Insecure Direct Object References)
• Broken Access Control
• Privilege Escalation (horizontal & vertical)
• Multi-tenant data isolation failures
• Business logic flaws
• Authentication & session management issues
• Insecure deserialization
• Injection vulnerabilities
• SSRF, CSRF, XSS
• Review API authorization logic and middleware controls
• Map role-based access control (RBAC) implementations
• Trace request flow from controller to database layer
• Identify insecure object references in REST & GraphQL APIs
• Document findings with clear proof-of-concept and remediation guidance
• Work alongside our offensive security team when needed

Required Experience

• 3+ years hands-on application security experience
• Strong background in manual source code review
• Deep understanding of authorization models and access control logic
• Experience reviewing code in one or more of:
• Node.js (Express/NestJS)
• Python (Django/FastAPI)
• PHP (Laravel)
• Java (Spring)
• .NET
• Strong understanding of:
• OWASP Top 10
• Multi-tenant architecture risks
• Secure coding practices
• Modern API security patterns
• Ability to read and understand large codebases quickly
• Ability to work without hand-holding

Nice to Have

• Prior pentesting experience
• Experience with SaaS multi-tenant systems
• Experience with cloud environments (AWS, GCP, Azure)
• Familiarity with CI/CD pipelines
• OSCP, OSWE, or similar certifications (not required but valued)

Engagement Structure

• Project-based contract (1099 / Independent Contractor)
• Paid per engagement (fixed scope or agreed day rate)
• Remote
• NDA required
• Must be comfortable handling sensitive client code securely

Who This Is NOT For

• Junior developers looking to “learn security”
• Automated scanner operators
• People who rely only on tools without understanding logic flaws
• Anyone who cannot clearly document findings

Only apply if you are confident reviewing complex authorization logic and finding vulnerabilities others miss.

Job Type: Contract
Pay: $74,322.32 - $130,000.00 per year
Work Location: Remote