Web Application & Database Security Audit for Custom CRM — BaaS / Database-as-API Specialist (Penetr

Project Overview

We operate a custom-built customer relationship management (CRM) platform that runs two service businesses on a single system. It is a modern JavaScript web application backed by a backend-as-a-service (BaaS) database and deployed on a serverless hosting platform. The platform manages the full customer lifecycle — lead intake, scheduling, work orders, invoicing, and team coordination — and stores personally identifiable information including customer names, postal addresses, phone numbers, email addresses, and service history.

We have already completed an internal security review and hardening pass. The objective of this engagement is independent, third-party validation of that work: confirmation that the hardening holds under adversarial testing, and identification of any remaining gaps. This is not a from-scratch build review. We are specifically seeking a specialist in the database-as-API security model — publicly exposed client keys governed by row-level access policies — as this is our primary risk surface. The full technical stack will be disclosed after an NDA is signed.

Engagement Approach

We propose a structured, two-phase engagement:

Phase 1 — Independent black-box assessment. No internal documentation or prior findings are disclosed. You evaluate the system as an external adversary would, producing an unbiased assessment of whether our hardening withstands testing.

Phase 2 — Gap review. Following your independent pass, we share our internal hardening findings. You confirm which items are genuinely remediated and surface what we have missed.

This sequencing preserves the integrity of an independent assessment while ensuring effort is not duplicated on issues already known to us.

Scope of Work

• Web application penetration test against the OWASP Top 10 (injection, cross-site scripting, authentication and session flaws, broken access control, and related categories).
• Primary focus — the database-as-API layer: review of row-level access policies, public client-key exposure, privilege escalation between user roles, and whether client-side access controls can be bypassed by querying the database directly.
• Database security review: access controls, credential storage, encryption at rest, network exposure, and backup security.
• Assessment of how customer personally identifiable information (PII) is stored, transmitted, and protected.

Required Skills & Experience

• Demonstrated web application penetration testing experience (please share a redacted sample report).
• Hands-on experience with backend-as-a-service / database-as-API platforms (e.g. Supabase, Firebase, PostgREST) and row-level security or equivalent client-side-key access models — not only classic server-side applications. This is the most important requirement.
• Familiarity with securing applications that handle personal data.
• Clear written communication. We have performed internal hardening and require independent validation, so findings must be explained plainly enough for non-technical leadership to act on.

Certifications (Preferred)

• OSWE (Offensive Security Web Expert)
• OSCP, GWAPT, or an equivalent GIAC web application certification is also welcome.

Rules of Engagement

• Dynamic testing is performed against a dedicated staging/sandbox copy that we provide, not against live production. Any production testing requires prior written sign-off.
• An NDA is required before any access or technical detail is shared.
• No real customer PII may be exfiltrated, copied, or retained at any stage of the engagement.

Deliverables

• A written report with findings ranked by severity (Critical / High / Medium / Low), each accompanied by specific, actionable remediation steps.
• A concise executive summary for non-technical leadership.
• A complimentary re-test after we apply fixes, to confirm that remediations are effective.

Scope Reference (for accurate fixed-fee quotes)

Approximately 30 database tables exposed via the BaaS auto-generated REST API — the primary attack surface, governed by row-level policies; plus ~9 custom serverless endpoints; 3–4 user roles; single tenant.

To Apply, Please Include

1. A brief note on your relevant BaaS / row-level-security audit experience.
2. A redacted sample report, or a description of what your reports contain.
3. Your estimated timeline and pricing model (fixed-fee preferred).
4. Any clarifying questions about scope.