Senior Application Security Specialist
Xsolla is a video game commerce company that provides a suite of tools and services—including merchant of record payment processing, tax management, fraud prevention, compliance, refunds, dispute management, and end-user support—to help game developers and publishers launch, grow, and monetize their games globally. It serves video game developers, publishers, and studios of all sizes across global and regional markets.
About Xsolla
Xsolla connects the tools, systems, payments, and web shops used by the video games industry, positioning itself as a global merchant of record supporting over 1,000 payment methods and a cumulative audience of 50 million, with transaction fees around 5%. Its services include tax management, fraud monitoring and prevention, global and regional regulatory compliance, refund and dispute management, and end-user payment support. Xsolla's product lineup includes the Xsolla SDK for native in-app payments on side-loaded apps and alternative app stores, a Buy Button enabling link-out purchases from iOS mobile games in the U.S., and Web Shop for building customized, direct-to-consumer game storefronts. The company works with major gaming industry partners and clients such as Mytona, Ubisoft, MARVEL SNAP, and others, and highlights partner success stories, industry events, and its own culture and hiring initiatives on its site.
Skills
About the Role
You will own security initiatives end-to-end, identifying, assessing, and driving remediation of security vulnerabilities across products and infrastructure. You will lead day-to-day AppSec work including deep code reviews, vulnerability triage, threat modeling, and security testing, and set the standards for how this work is done. You are expected to be rigorous, pragmatic, and able to balance security risk against business velocity in a payment platform operating at scale. You will also mentor junior specialists and help raise the security bar across engineering teams. You will need to document your work clearly so findings and context are not lost across handoffs.
Requirements
- 4+ years in application security or a closely related security engineering role with demonstrable ownership of AppSec programs or major initiatives
- Expert-level understanding of vulnerability classes including OWASP Top 10 SSRF deserialization request smuggling OAuth/OIDC flaws and business logic abuse
- Extensive hands-on experience with Burp Suite and manual testing methodology
- Comfortable reading and auditing code in at least one of PHP Python Go or JavaScript
- Practical experience embedding security into development workflows including security requirements design review CI/CD security gates and developer enablement
- Ability to calculate and defend real severity and explain risk to engineers and leadership
- Analytical thinking to reason through problems methodically
- Ownership and follow-through to drive findings to resolution across team boundaries
Responsibilities
- Own vulnerability management by leading triage of bug bounty reports and scanner findings
- Set severity standards and drive escalation policy to ensure remediation SLAs are met across teams
- Lead security assessments by planning and conducting in-depth penetration tests of web applications APIs and services
- Define assessment scope and methodology
- Drive threat modeling by facilitating sessions with engineering teams
- Identify trust boundaries data flows and attack surfaces early in the design phase and embed the practice into the SDLC
- Own AppSec tooling strategy by selecting operating and tuning SAST DAST SCA and secrets-scanning tooling
- Design noise-reduction and auto-triage workflows and integrate security gates into CI/CD
- Lead secure code reviews across PHP Python and Go codebases
- Define secure coding guidelines and review checklists for engineering teams
- Mentor and educate junior security specialists and run internal security training
- Champion security awareness among developers
- Write clear security documentation including findings reproduction steps and remediation guidance
- Set the documentation standard for the team
