Search...

Junior Application Security Specialist

Xsolla logo
Xsolla

Xsolla is a video game commerce company that provides a suite of tools and services—including merchant of record payment processing, tax management, fraud prevention, compliance, refunds, dispute management, and end-user support—to help game developers and publishers launch, grow, and monetize their games globally. It serves video game developers, publishers, and studios of all sizes across global and regional markets.

Distributed
About Xsolla

Xsolla connects the tools, systems, payments, and web shops used by the video games industry, positioning itself as a global merchant of record supporting over 1,000 payment methods and a cumulative audience of 50 million, with transaction fees around 5%. Its services include tax management, fraud monitoring and prevention, global and regional regulatory compliance, refund and dispute management, and end-user payment support. Xsolla's product lineup includes the Xsolla SDK for native in-app payments on side-loaded apps and alternative app stores, a Buy Button enabling link-out purchases from iOS mobile games in the U.S., and Web Shop for building customized, direct-to-consumer game storefronts. The company works with major gaming industry partners and clients such as Mytona, Ubisoft, MARVEL SNAP, and others, and highlights partner success stories, industry events, and its own culture and hiring initiatives on its site.

View jobs by Xsolla

Skills

About the Role

You will join a growing security team, working closely with senior specialists to identify, assess, and help remediate security vulnerabilities across products and infrastructure. You will be involved in day-to-day AppSec work including code reviews, vulnerability triage, threat modeling, and security testing. You are curious, detail-oriented, and eager to develop deep expertise in application security. You will be exposed to real-world security challenges on a payment platform operating at scale, supported by experienced security specialists who will help you grow.

Requirements

  • Solid understanding of common vulnerability classes: OWASP Top 10, CSRF, XSS, IDOR, SQL injection, open redirect, authentication and session management weaknesses
  • Solid understanding of HTTP request/response cycle, client-server model, REST APIs, same-origin policy, cookies, and CORS
  • Hands-on experience with Burp Suite or similar web application security testing tools
  • Able to reproduce a vulnerability and write it up clearly: reproduction steps, proof of concept, and impact statement
  • Familiarity with secure coding concepts: input validation, output encoding, parameterized queries, and least privilege
  • Ability to read and follow code in at least one language relevant to web security - PHP, Python, JavaScript, or Go
  • Analytical thinking to explain vulnerabilities, exploitation, and remediation
  • Clear written communication skills
  • Curiosity and initiative to investigate problems

Responsibilities

  • Assess incoming bug bounty reports and scanner findings, evaluate validity, calculate real severity, and escalate appropriately with clear written summaries
  • Participate in security assessments of web applications and APIs
  • Help identify and document risks in new features and existing systems
  • Document findings, reproduction steps, and remediation guidance for engineering teams
  • Participate in threat modeling sessions and learn to identify trust boundaries, data flows, and attack surfaces
  • Help operate SAST, DAST, and dependency scanning tooling
  • Track findings, reduce noise, and support remediation workflows
  • Review code for common vulnerability classes under guidance of senior specialists
  • Follow developments in the security community and stay aware of new vulnerability classes, CVEs, and attack techniques