IT Security Analyst - Web and API Penetration Testing

IT Security Analyst - Penetration Test (Burpsuite)

About the Role:

Wolters Kluwer Global Business Services (GBS) is designed to provide services to the business units in the areas of technology, sourcing, procurement, legal, finance, and human resources. These global centers promote team collaboration using best practices around a specific focus area to drive results and enhance operational efficiencies. There is a constant endeavor to benchmark against best-in-class industry standards to improve the quality of deliverables, increase cost savings, enhance productivity and reduce time to market for products and applications.

We have an amazing opportunity for an IT Security Analyst (Web & API Penetration Testing), available within our Global Business Services division! This position has been created due to growth! The IT Security Analyst (Web & API Penetration Testing) will be an integral part of our Attack Surface Management (ASM) and will be responsible for ensuring the operation and delivery of critical security services to protect and enhance the confidentiality, integrity, and availability of Wolters Kluwer assets. This position is remote.

As the IT Security Analyst (Web & API Penetration Testing), you will assist in efforts to strengthen the secure configuration and hardening of systems within Wolters Kluwer. In this role, you will be required to demonstrate proficiency in systems configuration, data gathering and information synthesis in various areas of IT security including penetration testing.  Your role will also include interfacing with and responding to internal business unit IT representatives and stakeholders at all levels during performance of your duties. 

Responsibilities:

Advanced Logic Testing (Beyond Scanners):

• Identify critical business logic flaws that automated tools miss, such as price manipulation, race conditions, and privilege escalation in multi-tenant SaaS environments.
• Perform deep-dive manual testing on complex Single Page Applications (React, Angular, Vue.js) to find client-side authorization bypasses.

API Security & Microservices:

• Assess REST, GraphQL, and gRPC endpoints for "Broken Object Level Authorization" (BOLA/IDOR) and "Mass Assignment" vulnerabilities.
• Test authentication and authorization mechanisms (OAuth 2.0, OIDC, JWT) for implementation flaws that allow account takeover.

Cloud-Native App Assessment:

• Evaluate web applications hosted on serverless architectures (AWS Lambda, Azure Functions) for injection attacks and cloud-specific misconfigurations (e.g., SSRF into cloud metadata services).

Strategic & Architecture Review:

• Conduct Threat Modeling sessions during the design phase to identify flaws in payment gateways, session management, and data handling workflows.
• Act as the "Security Champion" for engineering teams, translating complex vulnerabilities (like Insecure Deserialization) into clear, code-level remediation steps.

Custom Tooling & DevSecOps:

• Write custom Burp Suite extensions or Python scripts to automate complex authentication flows or proprietary data formats during testing.
• Integrate DAST (Dynamic Analysis) tools into the CI/CD pipeline to catch regressions early.

Skills:

• 5+ years of total experience in Information Technology
• 3+ years of professional experience in an information security function, including analyzing and applying information security risk management, and privacy practices
• Flexible working hours to support a global operation
• Required Interpersonal Skills
  • Excellent oral and written communication ability
  • Ability to present complex technical issues and findings to diverse audiences in both technical and non-technical parlance, both orally and in writing
  • Diplomacy in working with customers and stakeholders in other parts of the business
  • Ability to follow policy and procedure
  • Ability to work in a team and at times perform under stress
  • Demonstrate integrity in dealing with potentially sensitive data and restricted information
  • Exceptionally self-motivated with a superior analytical, evaluative, and problem-solving abilities
  • Ability to set and manage priorities judiciously
• Required Technical Skills
  • Knowledge of basic security principles to include confidentiality, integrity, and availability; access control, authentication, and authorization; privacy and non-repudiation
  • Strong understanding of security concepts and technologies, including encryption, firewalls, intrusion detection and prevention, and vulnerability management
  • Experience with penetration testing tools and methodologies
  • Understanding of security vulnerabilities and exposures, and from where they arise
  • Familiarity with the Internet, its network protocols, and network applications and services
  • Knowledge of network security issues and host/system security configuration and hardening
• Required System Security Skills
  • Through good communication and documentation, presents a consistent front to customers and stakeholders
  • Ability to synthesize data from technical skills listed above to understand and convey security best practices
  • Ability to utilize interpersonal skills listed above to communicate with customers and stakeholders and bring quick resolution
  • Demonstrated ability to analyze ongoing situations for the potential of a security incident
  • Ability to maintain inventory oversight in support of WK asset control requirements
  • Familiar with ITIL service management methodology. 
• Strong technical skills in security assessments of external service providers and management of partner suppliers

Our Interview Practices

To maintain a fair and genuine hiring process, we kindly ask that all candidates participate in interviews without the assistance of AI tools or external prompts. Our interview process is designed to assess your individual skills, experiences, and communication style. We value authenticity and want to ensure we’re getting to know you—not a digital assistant. To help maintain this integrity, we ask to remove virtual backgrounds and include in-person interviews in our hiring process. Please note that use of AI-generated responses or third-party support during interviews will be grounds for disqualification from the recruitment process.

Our Interview Practices

To maintain a fair and genuine hiring process, we kindly ask that all candidates participate in interviews without the assistance of AI tools or external prompts. Our interview process is designed to assess your individual skills, experiences, and communication style. We value authenticity and want to ensure we’re getting to know you—not a digital assistant. To help maintain this integrity, we ask to remove virtual backgrounds and include in-person interviews in our hiring process. Please note that use of AI-generated responses or third-party support during interviews will be grounds for disqualification from the recruitment process.

Applicants may be required to appear onsite at a Wolters Kluwer office as part of the recruitment process.

Experience Level

Mid Level