Cossack Labs is a British company, headquartered in London, with R&D offices across Ukraine. We support innovators by protecting innovations. Our data security solutions assist businesses of all sizes and industries protecting their sensitive data against external attackers, insider threats, mis-configurations while remaining compliant with regulations.
7 лютого 2024

Application Security Engineer (вакансія неактивна)

Київ, Львів $2000–3500

This vacancy is only for Ukrainian residents within Ukraine.

We are looking for an AppSec Engineer. If you are interested in designing and building security controls, working hand-in-hand with software developers, and performing security assessments, this may be your position!


  • Perform security assessment and review of code and behavior of systems (web, API, backends).
  • Perform risk analysis and threat modelling.
  • Perform security search for weaknesses and vulnerabilities in software in novel fields and areas.
  • Participate in SSDLC for our products and our customers’ products. Explain risks & threats, work with developers to select security controls that would improve security without restricting usability/performance.
  • Take part in organisation security practices and work with business owners (risk assessment, craft policies for organisations, guide companies for more secure future).
  • Communicate about security technical topics with both technical and non-technical audiences (C-level managers, developers, product owners).
  • Dive into application security, infrastructure security, cloud and on-prem infrastructures, dedicated hardware, IoT security, ML security, and weird stuff beyond casual imagination with our team of skilled engineers. Check out an example of our work.
  • Stay updated with emerging security threats, vulnerabilities, and controls by reading articles, papers, and NIST guidelines. Follow CVE updates and understand how the threat landscape is changing
  • Contribute to open-source standards such as OWASP standards and guidelines.


  • 3+ years as an application security engineer or similar position.
  • Experience in performing security assessment for web applications and cloud systems.
  • Experience designing and implementing security processes and security controls in a technically diverse environment.
  • Be familiar with application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS, OWASP MASVS.
  • Understanding SSDLC and its difficulties: OWASP SSDLC, NIST SSDF.
  • An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls. How to combine detective, preventive and corrective controls.
  • Experience in popular security tools required for the job, or ability to learn them quickly (Burp Suite, network analysers, various SAST and DAST, dependency and vulnerability scanners).

Nice to have:

  • A certain area of expertise and deep interest in web, mobile, IoT, infrastructure — an area where you have “seen things” and ready to share experience.
  • Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
  • Knowledge in one of several business domains: banking finance/payment processing, cryptocurrencies, IoT, hardware and ICS.
  • Understanding security standards and methodologies (NIST, ISO, CMMI, SOC).
  • Understanding risk management and threat modelling (NIST RMF, FAIR, STRIDE, MITRE ATT&CK).
  • Practical experience in scripting languages: Python or Bash.

Our hiring process:

  • Test task
  • Introduction call
  • Technical interview
  • Offer

What’s in it for you?

  • Competitive compensation with a flexible bonus scheme.
  • Hybrid work model: this position allows for a combination of in-office and remote work as needed.
  • UK, EU and USA clients.
  • Working at the crossroads of ML security, cryptographic protocol support, hardware protection, reverse-resilient mobile app development, and securing web apps for millions of users.
  • Public track record in the open-source aspect of our products.
  • Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops, and blog posts.
  • Paid vacation — 21 business days per year.
  • Paid sick leaves.

Our software is well-known amongst security-aware teams, recommended by OWASP, and popular for easily solving complicated security challenges. Apart from building “off-the-shelf” solutions, we design custom security controls for novel problems. We work in the B2B space, with customers such as power grid operators, payment processors, legal companies, and million-user customer applications. We cater to young ambitious startups and well-established enterprises, that use our software and solutions as a core part of their security arsenal.