Junior Application Security Specialist

## Responsibilities Triage Security Findings - Assess incoming bug bounty reports and scanner findings. Evaluate validity, calculate real severity, and escalate appropriately with clear written summaries.  Assist with Vulnerability Assessments - Participate in security assessments of web applications and APIs. Help identify and document risks in new features and existing systems.  Write Clear Security Documentation - Document findings, reproduce steps, and remediation guidance in a way that engineering teams can act on.  Support Threat Modeling - Participate in threat modeling sessions. Learn to identify trust boundaries, data flows, and attack surfaces in system designs.  Monitor Security Tools - Help operate SAST, DAST, and dependency scanning tooling. Track findings, reduce noise, and support remediation workflows.  Support Code Reviews - Review code for common vulnerability classes under guidance of senior specialists. Learn to identify security issues across PHP, Python, and Go codebases.  Stay Current - Follow developments in the security community. Bring awareness of new vulnerability classes, CVEs, and attack techniques relevant to our stack. ## What You Bring  Web Security Fundamentals - Solid understanding of common vulnerability classes: OWASP Top 10, CSRF, XSS, IDOR, SQL injection, open redirect, authentication and session management weaknesses. You understand root causes, not just names.  Web and Browser Fundamentals - Solid understanding of how web applications work: HTTP request/response cycle, client-server model, REST APIs, how browsers handle same-origin policy, cookies and their attributes, and CORS. This is the foundation everything else builds on.  Security Testing Tools - Hands-on experience with Burp Suite or similar web application security testing tools. You have used them to intercept, modify, and replay requests - not just run automated scans.  Vulnerability Documentation - Able to reproduce a vulnerability and write it up clearly: reproduction steps, proof of concept, and impact statement. Findings that engineering teams cannot reproduce or understand do not get fixed.  Secure Development Awareness - Familiarity with foundational secure coding concepts: input validation, output encoding, parameterized queries, and least privilege.  Code Readability - Ability to read and follow code in at least one language relevant to web security - PHP, Python, JavaScript, or Go. You don't need to be a developer, but you need to follow logic and spot security-relevant patterns.  Analytical Thinking - You reason through problems methodically. You can explain not just what a vulnerability is but why it exists, how it is exploited, and what fixing it actually requires.  Clear Written Communication - You write findings and summaries that are precise, reproducible, and useful to the engineers who need to act on them.  Curiosity and Initiative - You dig into problems rather than stopping at the surface. When something looks wrong, you investigate before concluding. ## Nice to Have  Participation in bug bounty programs or CTF competitions  Basic scripting ability for automation - Python or Bash  Familiarity with CI/CD pipelines and where security tooling fits  Exposure to cloud environments - GCP, AWS, or Azure  Relevant coursework or certifications - eWPT, CEH, or similar entry-level credentials Xsolla operates across multiple time zones. Strong written communication is essential - you will need to document your work clearly so findings and context are not lost across handoffs. We value directness, intellectual honesty, and follow-through. If you do not know something, say so and find out. If you find something, explain it clearly and see it through to resolution.