Senior Security Engineer
About Atlariem
Atlariem is an operational registry platform that helps organizations understand, organize, and protect their digital operations.
Companies rely on software systems, domains, cloud infrastructure, vendor accounts, repositories, subscriptions, credentials, and other digital assets. Information about who owns those assets, how they connect, and where risks exist is often scattered across spreadsheets, inboxes, and individual employees.
Atlariem gives operations, IT, security, and governance teams a centralized view of what the organization owns, who is responsible for it, and where operational risks may exist.
Because Atlariem stores important organizational and ownership information, security, privacy, tenant isolation, and infrastructure resilience are core priorities for the platform.
About the Contract
Atlariem is seeking an experienced Contract Security Engineer to assess and strengthen the security of our SaaS application, production infrastructure, deployment processes, and internal security practices.
The contractor will work directly with the founder and development team to identify vulnerabilities, validate existing protections, recommend practical improvements, and help implement high-priority remediations.
This is a hands-on role. We are looking for someone who can move beyond automated scan results, understand the business impact of security findings, and provide clear, actionable guidance suitable for an early-stage SaaS company.
The initial engagement will focus on a comprehensive security review. There may be an opportunity for ongoing advisory, testing, monitoring, and remediation work.
Responsibilities
Conduct a security assessment of Atlariem’s web application and production environment.
Review authentication, authorization, session management, and account-recovery workflows.
Test role-based access controls and multi-tenant data isolation.
Identify potential insecure direct object reference and privilege-escalation vulnerabilities.
Review protections against common web application risks, including injection, cross-site scripting, cross-site request forgery, server-side request forgery, and insecure file handling.
Evaluate API security, endpoint authorization, rate limiting, and input validation.
Review the handling of credentials, environment variables, API keys, tokens, and other secrets.
Assess production server configuration, network exposure, firewall rules, TLS configuration, and operating-system hardening.
Review dependency management and software supply-chain risks.
Evaluate logging, alerting, audit trails, and security-event visibility.
Review deployment workflows, repository security, branch protections, and CI/CD practices.
Assess backup, restoration, disaster-recovery, and incident-response procedures.
Review data protection, encryption, retention, and deletion practices.
Perform authorized manual and automated security testing within agreed-upon environments.
Prioritize findings based on likelihood, severity, exploitability, and business impact.
Provide clear remediation instructions and assist with implementing critical fixes.
Retest remediated vulnerabilities and confirm that issues have been properly resolved.
Help establish practical security policies, checklists, and development standards.
Expected Deliverables
The initial engagement is expected to include:
A review of the application architecture and production environment.
A documented application and infrastructure security assessment.
A prioritized vulnerability report with severity ratings.
Reproduction steps and supporting evidence for confirmed findings.
Clear remediation guidance for each issue.
Identification of immediate, short-term, and longer-term security improvements.
A meeting to review findings with the founder and development team.
Verification testing for completed high-priority remediations.
Recommendations for ongoing security monitoring and future assessments.
Required Qualifications
Professional experience in application security, cloud security, infrastructure security, penetration testing, or security engineering.
Experience assessing production web applications and SaaS platforms.
Strong understanding of authentication, authorization, and access-control vulnerabilities.
Experience reviewing multi-user or multi-tenant application architectures.
Knowledge of the OWASP Top 10 and modern web application attack techniques.
Strong understanding of HTTP, TLS, DNS, networking, firewalls, and Linux systems.
Experience conducting both automated and manual security testing.
Ability to distinguish exploitable security issues from low-risk scanner findings.
Experience writing clear security reports with actionable remediation steps.
Ability to communicate technical findings to developers and nontechnical stakeholders.
Strong professional judgment when handling sensitive systems and information.
Ability to work independently and manage an agreed-upon scope and timeline.
Preferred Experience
Experience securing Python and Django applications.
Familiarity with Gunicorn, LiteSpeed, Nginx, or similar web-server environments.
Experience reviewing Ubuntu-based virtual private servers.
Knowledge of Django security controls, middleware, sessions, CSRF protection, and ORM-related risks.
Experience with GitHub security settings and CI/CD pipeline reviews.
Familiarity with secrets-management platforms and secure environment configuration.
Experience with cloud or VPS infrastructure hardening.
Knowledge of database security, backup validation, and recovery planning.
Familiarity with Stripe, email-service integrations, OAuth, webhooks, or third-party APIs.
Experience preparing SaaS organizations for SOC 2, ISO 27001, NIST, CIS Controls, or similar frameworks.
Experience advising early-stage startups that need strong security without unnecessary enterprise overhead.
Technical Environment
Current and planned technologies may include:
Python
Django
JavaScript, HTML, and CSS
Ubuntu Linux
Gunicorn
LiteSpeed
Git and GitHub
SQLite, with potential future migration to PostgreSQL
Stripe and other third-party service integrations
Virtual private server infrastructure
Environment-based secrets and configuration
Automated deployment workflows
Candidates are not expected to specialize in every technology listed, but direct experience with Django and Linux-hosted SaaS applications is highly valuable.
Engagement Priorities
The contractor’s initial priorities will include:
Authentication and account security.
Authorization and tenant-data isolation.
Production server and infrastructure hardening.
Secrets and credential management.
Application vulnerability testing.
Logging, monitoring, and audit visibility.
Backup and recovery validation.
Deployment and software supply-chain security.
Incident-response readiness.
Long-term security planning.
Rules of Engagement
All testing must be authorized in advance and limited to the systems, accounts, and environments included in the agreed scope.
The contractor will be expected to:
Avoid testing that could unnecessarily disrupt production systems.
Coordinate potentially destructive or high-impact testing in advance.
Protect all credentials, customer information, findings, and internal documentation.
Report critical vulnerabilities immediately.
Securely delete or return sensitive information at the end of the engagement.
Sign confidentiality and contractor agreements before receiving privileged access.
Why Work With Atlariem?
Direct access to the founder and development decision-makers.
Ability to influence security architecture at an early and important stage.
Clear opportunity to see recommendations implemented quickly.
Flexible remote engagement.
Potential for recurring assessments and ongoing advisory work.
Opportunity to help secure a platform focused on organizational accountability and operational resilience.
How to Apply
Please provide:
A brief introduction and summary of your relevant security experience.
Your resume, professional profile, website, or portfolio.
Examples of similar SaaS, application-security, or infrastructure-security engagements.
Your experience with Python, Django, Linux, and multi-tenant applications.
A description of your typical security-assessment process.
Your availability.
Your preferred hourly rate, project rate, or retainer structure.
Any relevant certifications, reports, publications, open-source work, or responsible disclosures.
Shortlisted candidates may be asked to discuss how they would approach assessing Atlariem’s application, tenant isolation, server configuration, and deployment workflow.
Applicants must be willing to sign appropriate confidentiality and independent-contractor agreements before receiving access to nonpublic systems or information.