Submitting more applications increases your chances of landing a job.
Here’s how busy the average job seeker was last month:
Opportunities viewed
Applications submitted
Keep exploring and applying to maximize your chances!
Looking for employers with a proven track record of hiring women?
Click here to explore opportunities now!You are invited to participate in a survey designed to help researchers understand how best to match workers to the types of jobs they are searching for
Would You Be Likely to Participate?
If selected, we will contact you via email with further instructions and details about your participation.
You will receive a $7 payout for answering the survey.
We are looking for a senior application security specialist to join a growing security team at Xsolla. This is a hands-on role where you will own security initiatives end-to-end - identifying, assessing, and driving remediation of security vulnerabilities across our products and infrastructure.
You will lead day-to-day AppSec work - deep code reviews, vulnerability triage, threat modeling, and security testing - and set the standards for how this work is done. You are rigorous, pragmatic, and able to balance security risk against business velocity in a payment platform operating at scale.
You will also mentor junior specialists and help raise the security bar across engineering teams.
Responsibilities
Own Vulnerability Management - Lead triage of bug bounty reports and scanner findings. Set severity standards, drive escalation policy, and ensure remediation SLAs are met across teams.
Lead Security Assessments - Plan and conduct in-depth security assessments and penetration tests of web applications, APIs, and services. Define assessment scope and methodology.
Drive Threat Modeling - Facilitate threat modeling sessions with engineering teams. Identify trust boundaries, data flows, and attack surfaces early in the design phase, and embed the practice into the SDLC.
Own AppSec Tooling Strategy - Select, operate, and tune SAST, DAST, SCA, and secrets-scanning tooling. Design noise-reduction and auto-triage workflows; integrate security gates into CI/CD.
Lead Secure Code Reviews - Perform security-focused code reviews across PHP, Python, and Go codebases. Define secure coding guidelines and review checklists for engineering teams.
Mentor and Educate - Coach junior security specialists, run internal security training, and champion security awareness among developers.
Write Clear Security Documentation - Document findings, reproduction steps, and remediation guidance in a way engineering teams can act on. Set the documentation standard for the team.
What You Bring
4+ years in application security or a closely related security engineering role, with demonstrable ownership of AppSec programs or major initiatives.
Deep Web Security Expertise - Expert-level understanding of vulnerability classes (OWASP Top 10 and well beyond: SSRF, deserialization, request smuggling, OAuth/OIDC flaws, business logic abuse). You understand root causes, exploitation chains, and realistic impact in production systems.
Offensive Testing Proficiency - Extensive hands-on experience with Burp Suite and manual testing methodology. You can find vulnerabilities that scanners miss and chain low-severity issues into meaningful impact.
Code Fluency - Comfortable reading and auditing code in at least one of: PHP, Python, Go, JavaScript. Able to trace data flows across services and spot vulnerable patterns without runtime access.
Secure SDLC Experience - Practical experience embedding security into development workflows: security requirements, design review, CI/CD security gates, and developer enablement.
Risk Communication - You can calculate and defend real severity, push back on inflated findings, and explain risk to both engineers and leadership in their own language.
Analytical Thinking - You reason through problems methodically and can explain not just what a vulnerability is, but why it exists, how it is exploited, and what fixing it actually requires.
Ownership and Follow-Through - You drive findings to resolution across team boundaries without being asked.
Nice to Have
Track record in bug bounty programs (accepted reports on major platforms) or notable CTF results;
Strong automation skills - Python or Go for building internal security tooling;
Experience securing cloud-native environments - GCP preferred; Kubernetes security a plus;
Advanced certifications - OSWE, OSCP, BSCP, or GWAPT;
Experience in payments, fintech, or other regulated environments (PCI DSS familiarity);
CVE credits, public security research, or conference talks.
You'll no longer be considered for this role and your application will be removed from the employer's inbox.