Xsolla
Junior Application Security Specialist
TLDR
Join a hands-on security team at Xsolla, engaging in real-world security challenges while developing expertise in application security through collaboration with experienced specialists.
Responsibilities
Xsolla operates across multiple time zones. Strong written communication is essential - you will
need to document your work clearly so findings and context are not lost across handoffs.
We value directness, intellectual honesty, and follow-through. If you do not know something,
say so and find out. If you find something, explain it clearly and see it through to resolution.
Triage Security Findings - Assess incoming bug bounty reports and scanner findings.
Evaluate validity, calculate real severity, and escalate appropriately with clear written
summaries.
Assist with Vulnerability Assessments - Participate in security assessments of web
applications and APIs. Help identify and document risks in new features and existing
systems.
Write Clear Security Documentation - Document findings, reproduce steps, and
remediation guidance in a way that engineering teams can act on.
Support Threat Modeling - Participate in threat modeling sessions. Learn to identify
trust boundaries, data flows, and attack surfaces in system designs.
Monitor Security Tools - Help operate SAST, DAST, and dependency scanning tooling.
Track findings, reduce noise, and support remediation workflows.
Support Code Reviews - Review code for common vulnerability classes under guidance
of senior specialists. Learn to identify security issues across PHP, Python, and Go
codebases.
Stay Current - Follow developments in the security community. Bring awareness of new
vulnerability classes, CVEs, and attack techniques relevant to our stack.
What You Bring
Evaluate validity, calculate real severity, and escalate appropriately with clear written
summaries.
Assist with Vulnerability Assessments - Participate in security assessments of web
applications and APIs. Help identify and document risks in new features and existing
systems.
Write Clear Security Documentation - Document findings, reproduce steps, and
remediation guidance in a way that engineering teams can act on.
Support Threat Modeling - Participate in threat modeling sessions. Learn to identify
trust boundaries, data flows, and attack surfaces in system designs.
Monitor Security Tools - Help operate SAST, DAST, and dependency scanning tooling.
Track findings, reduce noise, and support remediation workflows.
Support Code Reviews - Review code for common vulnerability classes under guidance
of senior specialists. Learn to identify security issues across PHP, Python, and Go
codebases.
Stay Current - Follow developments in the security community. Bring awareness of new
vulnerability classes, CVEs, and attack techniques relevant to our stack.
Web Security Fundamentals - Solid understanding of common vulnerability classes:
OWASP Top 10, CSRF, XSS, IDOR, SQL injection, open redirect, authentication and
session management weaknesses. You understand root causes, not just names.
Web and Browser Fundamentals - Solid understanding of how web applications work:
HTTP request/response cycle, client-server model, REST APIs, how browsers handle
same-origin policy, cookies and their attributes, and CORS. This is the foundation
everything else builds on.
Security Testing Tools - Hands-on experience with Burp Suite or similar web
application security testing tools. You have used them to intercept, modify, and replay
requests - not just run automated scans.
Vulnerability Documentation - Able to reproduce a vulnerability and write it up clearly:
reproduction steps, proof of concept, and impact statement. Findings that engineering
teams cannot reproduce or understand do not get fixed.
Secure Development Awareness - Familiarity with foundational secure coding
concepts: input validation, output encoding, parameterized queries, and least privilege.
Code Readability - Ability to read and follow code in at least one language relevant to
web security - PHP, Python, JavaScript, or Go. You don't need to be a developer, but you
need to follow logic and spot security-relevant patterns.
Analytical Thinking - You reason through problems methodically. You can explain not
just what a vulnerability is but why it exists, how it is exploited, and what fixing it
actually requires.
Clear Written Communication - You write findings and summaries that are precise,
reproducible, and useful to the engineers who need to act on them.
Curiosity and Initiative - You dig into problems rather than stopping at the surface.
When something looks wrong, you investigate before concluding.
Nice to Have
OWASP Top 10, CSRF, XSS, IDOR, SQL injection, open redirect, authentication and
session management weaknesses. You understand root causes, not just names.
Web and Browser Fundamentals - Solid understanding of how web applications work:
HTTP request/response cycle, client-server model, REST APIs, how browsers handle
same-origin policy, cookies and their attributes, and CORS. This is the foundation
everything else builds on.
Security Testing Tools - Hands-on experience with Burp Suite or similar web
application security testing tools. You have used them to intercept, modify, and replay
requests - not just run automated scans.
Vulnerability Documentation - Able to reproduce a vulnerability and write it up clearly:
reproduction steps, proof of concept, and impact statement. Findings that engineering
teams cannot reproduce or understand do not get fixed.
Secure Development Awareness - Familiarity with foundational secure coding
concepts: input validation, output encoding, parameterized queries, and least privilege.
Code Readability - Ability to read and follow code in at least one language relevant to
web security - PHP, Python, JavaScript, or Go. You don't need to be a developer, but you
need to follow logic and spot security-relevant patterns.
Analytical Thinking - You reason through problems methodically. You can explain not
just what a vulnerability is but why it exists, how it is exploited, and what fixing it
actually requires.
Clear Written Communication - You write findings and summaries that are precise,
reproducible, and useful to the engineers who need to act on them.
Curiosity and Initiative - You dig into problems rather than stopping at the surface.
When something looks wrong, you investigate before concluding.
Participation in bug bounty programs or CTF competitions
Basic scripting ability for automation - Python or Bash
Familiarity with CI/CD pipelines and where security tooling fits
Exposure to cloud environments - GCP, AWS, or Azure
Relevant coursework or certifications - eWPT, CEH, or similar entry-level credentials
Basic scripting ability for automation - Python or Bash
Familiarity with CI/CD pipelines and where security tooling fits
Exposure to cloud environments - GCP, AWS, or Azure
Relevant coursework or certifications - eWPT, CEH, or similar entry-level credentials
Xsolla operates across multiple time zones. Strong written communication is essential - you will
need to document your work clearly so findings and context are not lost across handoffs.
We value directness, intellectual honesty, and follow-through. If you do not know something,
say so and find out. If you find something, explain it clearly and see it through to resolution.
Xsolla is a global commerce company that empowers game developers by providing tools and services to tackle the complexities of the video game industry. Catering to both indie and AAA developers, Xsolla partners with them to enhance funding, distribution, marketing, and monetization of their games. With a mission to connect opportunities and innovate resources, Xsolla has supported over 1,500 game creators in expanding their reach and growing their businesses worldwide.
- Founded
- Founded 2005
- Employees
- 201-500 employees
- Industry
- Diversified Financial Services
Specialist