FreeHire

Xsolla

Senior Application Security Specialist

Show
We are looking for junior application security specialists to join a growing security team at
Xsolla. This is a hands-on role where you will work closely with senior specialists to identify,
assess, and help remediate security vulnerabilities across our products and infrastructure.
You will be involved in day-to-day AppSec work - code reviews, vulnerability triage, threat
modeling, and security testing. You are curious, detail-oriented, and eager to develop deep
expertise in application security. You do not need to have all the answers, but you ask the right
questions and follow through.
This is a strong learning environment. You will be exposed to real-world security challenges in a
payment platform operating at scale, and supported by experienced security specialists who will
help you grow.

Responsibilities

  • Triage Security Findings - Assess incoming bug bounty reports and scanner findings.
    Evaluate validity, calculate real severity, and escalate appropriately with clear written
    summaries.
  • Assist with Vulnerability Assessments - Participate in security assessments of web
    applications and APIs. Help identify and document risks in new features and existing
    systems.
  • Write Clear Security Documentation - Document findings, reproduce steps, and
    remediation guidance in a way that engineering teams can act on.
  • Support Threat Modeling - Participate in threat modeling sessions. Learn to identify
    trust boundaries, data flows, and attack surfaces in system designs.
  • Monitor Security Tools - Help operate SAST, DAST, and dependency scanning tooling.
    Track findings, reduce noise, and support remediation workflows.
  • Support Code Reviews - Review code for common vulnerability classes under guidance
    of senior specialists. Learn to identify security issues across PHP, Python, and Go
    codebases.
  • Stay Current - Follow developments in the security community. Bring awareness of new
    vulnerability classes, CVEs, and attack techniques relevant to our stack.

    • What You Bring

  • Web Security Fundamentals - Solid understanding of common vulnerability classes:
    OWASP Top 10, CSRF, XSS, IDOR, SQL injection, open redirect, authentication and
    session management weaknesses. You understand root causes, not just names.
  • Web and Browser Fundamentals - Solid understanding of how web applications work:
    HTTP request/response cycle, client-server model, REST APIs, how browsers handle
    same-origin policy, cookies and their attributes, and CORS. This is the foundation
    everything else builds on.
  • Security Testing Tools - Hands-on experience with Burp Suite or similar web
    application security testing tools. You have used them to intercept, modify, and replay
    requests - not just run automated scans.
  • Vulnerability Documentation - Able to reproduce a vulnerability and write it up clearly:
    reproduction steps, proof of concept, and impact statement. Findings that engineering
    teams cannot reproduce or understand do not get fixed.
  • Secure Development Awareness - Familiarity with foundational secure coding
    concepts: input validation, output encoding, parameterized queries, and least privilege.
  • Code Readability - Ability to read and follow code in at least one language relevant to
    web security - PHP, Python, JavaScript, or Go. You don't need to be a developer, but you
    need to follow logic and spot security-relevant patterns.
  • Analytical Thinking - You reason through problems methodically. You can explain not
    just what a vulnerability is but why it exists, how it is exploited, and what fixing it
    actually requires.
  • Clear Written Communication - You write findings and summaries that are precise,
    reproducible, and useful to the engineers who need to act on them.
  • Curiosity and Initiative - You dig into problems rather than stopping at the surface.
    When something looks wrong, you investigate before concluding.

    • Nice to Have

  • Participation in bug bounty programs or CTF competitions
  • Basic scripting ability for automation - Python or Bash
  • Familiarity with CI/CD pipelines and where security tooling fits
  • Exposure to cloud environments - GCP, AWS, or Azure
  • Relevant coursework or certifications - eWPT, CEH, or similar entry-level credentials

    • Xsolla operates across multiple time zones. Strong written communication is essential - you will need to document your work clearly so findings and context are not lost across handoffs. We value directness, intellectual honesty, and follow-through. If you do not know something, say so and find out. If you find something, explain it clearly and see it through to resolution.

    Similar jobs

    Xsolla On-siteAPACSenior
    2 years ago

    Senior Software Engineer (PHP)

    Uber RemoteNorth AmericaFull-timeSenior
    5 months ago

    Senior Security Engineer - Application Security

    202 000 – 224 000 $
    definelycareers RemoteUKContractSenior
    last week

    Senior Information Security Officer

    AppsFlyer Senior
    5 months ago

    Senior Application Security Engineer

    Sectigo On-siteAPAC, North AmericaFull-timeJunior
    3 weeks ago

    Web Security Analyst Junior

    altersolutions North AmericaSenior
    2 years ago

    Senior IT and security Administrator – Malware Protection Specialist