About this Junior Application Security Specialist role at Xsolla
We are looking for a junior application security specialist to join a growing security team at Xsolla. This is a hands-on role where you will work closely with senior specialists to identify, assess, and help remediate security vulnerabilities across our products and infrastructure.
You will be involved in day-to-day AppSec work - code reviews, vulnerability triage, threat modeling, and security testing. You are curious, detail-oriented, and eager to develop deep expertise in application security. You do not need to have all the answers, but you ask the right questions and follow through.
This is a strong learning environment. You will be exposed to real-world security challenges in a payment platform operating at scale, and supported by experienced security specialists who will help you grow.
Responsibilities
-
Triage Security Findings - Assess incoming bug bounty reports and scanner findings. Evaluate validity, calculate real severity, and escalate appropriately with clear written summaries.
-
Assist with Vulnerability Assessments - Participate in security assessments of web applications and APIs. Help identify and document risks in new features and existing systems.
-
Write Clear Security Documentation - Document findings, reproduction steps, and remediation guidance in a way that engineering teams can act on.
-
Support Threat Modeling - Participate in threat modeling sessions. Learn to identify trust boundaries, data flows, and attack surfaces in system designs.
-
Monitor Security Tools - Help operate SAST, DAST, and dependency scanning tooling. Track findings, reduce noise, and support remediation workflows.
-
Support Code Reviews - Review code for common vulnerability classes under guidance of senior specialists. Learn to identify security issues across PHP, Python, and Go codebases.
-
Stay Current - Follow developments in the security community. Bring awareness of new vulnerability classes, CVEs, and attack techniques relevant to our stack.
What You Bring
-
Web Security Fundamentals - Solid understanding of common vulnerability classes: OWASP Top 10, CSRF, XSS, IDOR, SQL injection, open redirect, authentication and session management weaknesses. You understand root causes, not just names.
-
Web and Browser Fundamentals - Solid understanding of how web applications work: HTTP request/response cycle, client-server model, REST APIs, how browsers handle same-origin policy, cookies and their attributes, and CORS. This is the foundation everything else builds on.
-
Security Testing Tools - Hands-on experience with Burp Suite or similar web application security testing tools. You have used them to intercept, modify, and replay requests — not just run automated scans.
-
Vulnerability Documentation - Able to reproduce a vulnerability and write it up clearly: reproduction steps, proof of concept, and impact statement. Findings that engineering teams cannot reproduce or understand do not get fixed.
-
Secure Development Awareness - Familiarity with foundational secure coding concepts: input validation, output encoding, parameterized queries, and least privilege.
-
Code Readability - Ability to read and follow code in at least one language relevant to web security - PHP, Python, JavaScript, or Go. You don't need to be a developer, but you need to follow logic and spot security-relevant patterns.
-
Analytical Thinking - You reason through problems methodically. You can explain not just what a vulnerability is but why it exists, how it is exploited, and what fixing it actually requires.
-
Clear Written Communication - You write findings and summaries that are precise, reproducible, and useful to the engineers who need to act on them.
-
Curiosity and Initiative - You dig into problems rather than stopping at the surface. When something looks wrong, you investigate before concluding
Nice to Have
-
Participation in bug bounty programs or CTF competitions;
-
Basic scripting ability for automation - Python or Bash;
-
Familiarity with CI/CD pipelines and where security tooling fits;
-
Exposure to cloud environments - GCP, AWS, or Azure;
-
Relevant coursework or certifications - eWPT, CEH, PortSwigger Web Security Academy progress, or similar entry-level credentials.
Xsolla operates across multiple time zones. Strong written communication is essential - you will need to document your work clearly so findings and context are not lost across handoffs. We value directness, intellectual honesty, and follow-through. If you do not know something, say so and find out. If you find something, explain it clearly and see it through to resolution.