At Bayer we’re visionaries, driven to solve the world’s toughest challenges and striving for a world where ,Health for all, Hunger for none’ is no longer a dream, but a real possibility. We’re doing it with energy, curiosity and sheer dedication, always learning from unique perspectives of those around us, expanding our thinking, growing our capabilities and redefining ‘impossible’. There are so many reasons to join us. If you’re hungry to build a varied and meaningful career in a community of brilliant and diverse minds to make a real difference, there’s only one choice.

 

Web & Application Penetration Tester 

 

For Digital Hub Warsaw, we are looking for:

 

Web & Application Penetration Tester

We are looking for a Web/Application Penetration Tester with at least 5 years of solid, hands-on offensive security experience. This role requires deep technical knowledge of modern applications, creative vulnerability exploitation, and strong collaboration skills to help secure critical platforms and services.

 

Key Tasks & Responsibilities:

Web & API AssessmentsPerform detailed penetration tests against web applications, APIs, and microservices.Identify vulnerabilities in authentication, session management, authorization, and data validation.Exploit and demonstrate insecure direct object references, SQLi, XSS, SSRF, template injection, deserialization, CSRF, and business logic flaws.Test GraphQL, REST, and gRPC APIs for access control bypasses, injection flaws, and mass-assignment risks.Mobile Application TestingAssess Android/iOS apps for insecure storage, traffic interception, SSL pinning, hardcoded secrets, and API misconfigurations.Reverse and analyze application logic using Frida, Objection, Burp Mobile Suite, JADX, or Hopper.Code & Dependency SecurityConduct static and dynamic analysis of application codebases where applicable.Identify risks in third-party dependencies, supply chain integrations, and open-source libraries.Reporting & CommunicationWrite clear, reproducible, and actionable reports with proof-of-concept exploit details.Communicate findings to developers and architects in a way that drives real remediation, not just documentation.Provide secure coding recommendations mapped to OWASP and industry best practices.Continuous ImprovementDevelop scripts and custom tooling to automate test cases, payload generation, and reporting workflows.Stay ahead of emerging attack vectors in web frameworks, cloud-native apps, and modern authentication schemes (OAuth2, JWT, SAML).Contribute to internal methodology updates and maintain a repository of test cases and payloads.

Qualifications & Competencies (education, skills, experience):

 

Core Web SecurityStrong understanding of HTTP, cookies, headers, sessions, CORS, and TLS.Expert with Burp Suite Pro and related tooling (Extender, Collaborator, custom extensions).Ability to manually identify and exploit injection flaws, race conditions, and logic bypasses.Modern Web TechnologiesFamiliarity with single-page app frameworks (React, Angular, Vue) and their unique security issues.Hands-on experience testing OAuth2, OpenID Connect, SAML, and JWT implementations.Knowledge of SSO, MFA, and federation mechanisms and their common pitfalls.API SecurityProficient in testing REST, GraphQL, SOAP, and gRPC endpoints.Experience with mass assignment, broken object-level authorization (BOLA), and broken function-level authorization (BFLA).Ability to assess rate limiting, replay attack defenses, and API abuse scenarios.Mobile Application SecurityUnderstanding of OWASP Mobile Top 10 risks.Familiarity with APK/IPA unpacking, dynamic instrumentation, and certificate pinning bypass.Scripting & ToolingProficiency in Python, JavaScript, or Bash/PowerShell for exploit development and automation.Ability to create custom PoCs instead of relying solely on scanners.Familiarity with tools such as sqlmap, ffuf, nuclei, mitmproxy, Postman, Frida, and Objection.

 

Motivated & Proactive – Self-starter who keeps up with modern attacker tradecraft.Team Player – Works effectively with developers, QA, and security engineers; values collaboration over silos.Problem Solver – Can take vague or incomplete application designs and still identify weak points.Clear Communicator – Explains technical findings in developer-friendly language with practical fix guidance.

 

Desirable (Not Required)

Familiarity with cloud-native web services (serverless apps, API gateways, WAF bypasses).Knowledge of CI/CD security (secrets exposure, insecure build pipelines).Experience integrating pentesting results into bug bounty or SDLC workflows.Relevant certifications such as OSWE, OSCP, GWAPT, eWPTX.

What do We offer:

 

A flexible, hybrid work modelGreat workplace in a new modern office in WarsawCareer development, 360° Feedback & Mentoring programmeWide access to professional development tools, trainings, & conferencesCompany Bonus & Reward StructureVIP Medical Care Package (including Dental & Mental health)Holiday allowance (“Wczasy pod gruszą”)Life & Travel InsurancePension planCo-financed sport card - FitProfitMeals Subsidy in OfficeAdditional days offBudget for Home Office Setup & MaintenanceAccess to Company Game Room equipped with table tennis, soccer table, Sony PlayStation 5 and Xbox Series X consoles setup with premium game passes, and massage chairsTailored-made support in relocation to Warsaw when neededPlease send your CV in English

 

You feel you do not meet all criteria we are looking for? That doesn’t mean you aren’t the right fit for the role. Apply with confidence, we value potential over perfection

 

WORK LOCATION: WARSAW AL.JEROZOLIMSKIE 158

  

  YOUR APPLICATION   

Bayer welcomes applications from all individuals, regardless of race, national origin, gender, age, physical characteristics, social origin, disability, union membership, religion, family status, pregnancy, sexual orientation, gender identity, gender expression or any unlawful criterion under applicable law. We are committed to treating all applicants fairly and avoiding discrimination.

Bayer is committed to providing access and reasonable accommodations in its application process for individuals with disabilities and encourages applicants with disabilities to request any needed accommodation(s) using the contact information below. 

Bayer offers the possibility of working in a hybrid model. We know how important work-life balance is, so our employees can work from home, from the office or combine both work environments. The possibilities of using the hybrid model are each time discussed with the manager.
Bayer respects and applies the Whistleblower Act in Poland.

     Location:Poland : Mazowieckie : Warszawa    Division:CSF   Reference Code:851278   

 

 

Location:

Poland : Mazowieckie : Warszawa  

 

Division:

CSF

 

 

Reference Code:

851278