Junior Application Security Specialist

We are looking for junior application security specialists to join a growing security team at
Xsolla. This is a hands-on role where you will work closely with senior specialists to identify,
assess, and help remediate security vulnerabilities across our products and infrastructure.
You will be involved in day-to-day AppSec work - code reviews, vulnerability triage, threat
modeling, and security testing. You are curious, detail-oriented, and eager to develop deep
expertise in application security. You do not need to have all the answers, but you ask the right
questions and follow through.
This is a strong learning environment. You will be exposed to real-world security challenges in a
payment platform operating at scale, and supported by experienced security specialists who will
help you grow.

Triage Security Findings - Assess incoming bug bounty reports and scanner findings.
Evaluate validity, calculate real severity, and escalate appropriately with clear written
summaries.
 Assist with Vulnerability Assessments - Participate in security assessments of web
applications and APIs. Help identify and document risks in new features and existing
systems.
 Write Clear Security Documentation - Document findings, reproduce steps, and
remediation guidance in a way that engineering teams can act on.
 Support Threat Modeling - Participate in threat modeling sessions. Learn to identify
trust boundaries, data flows, and attack surfaces in system designs.
 Monitor Security Tools - Help operate SAST, DAST, and dependency scanning tooling.
Track findings, reduce noise, and support remediation workflows.
 Support Code Reviews - Review code for common vulnerability classes under guidance
of senior specialists. Learn to identify security issues across PHP, Python, and Go
codebases.
 Stay Current - Follow developments in the security community. Bring awareness of new
vulnerability classes, CVEs, and attack techniques relevant to our stack.

 Web Security Fundamentals - Solid understanding of common vulnerability classes:
OWASP Top 10, CSRF, XSS, IDOR, SQL injection, open redirect, authentication and
session management weaknesses. You understand root causes, not just names.
 Web and Browser Fundamentals - Solid understanding of how web applications work:
HTTP request/response cycle, client-server model, REST APIs, how browsers handle
same-origin policy, cookies and their attributes, and CORS. This is the foundation
everything else builds on.
 Security Testing Tools - Hands-on experience with Burp Suite or similar web
application security testing tools. You have used them to intercept, modify, and replay
requests - not just run automated scans.
 Vulnerability Documentation - Able to reproduce a vulnerability and write it up clearly:
reproduction steps, proof of concept, and impact statement. Findings that engineering
teams cannot reproduce or understand do not get fixed.
 Secure Development Awareness - Familiarity with foundational secure coding
concepts: input validation, output encoding, parameterized queries, and least privilege.
 Code Readability - Ability to read and follow code in at least one language relevant to
web security - PHP, Python, JavaScript, or Go. You don't need to be a developer, but you
need to follow logic and spot security-relevant patterns.
 Analytical Thinking - You reason through problems methodically. You can explain not
just what a vulnerability is but why it exists, how it is exploited, and what fixing it
actually requires.
 Clear Written Communication - You write findings and summaries that are precise,
reproducible, and useful to the engineers who need to act on them.
 Curiosity and Initiative - You dig into problems rather than stopping at the surface.
When something looks wrong, you investigate before concluding.

 Participation in bug bounty programs or CTF competitions
 Basic scripting ability for automation - Python or Bash
 Familiarity with CI/CD pipelines and where security tooling fits
 Exposure to cloud environments - GCP, AWS, or Azure
 Relevant coursework or certifications - eWPT, CEH, or similar entry-level credentials