Cossack Labs is a British company, headquartered in London, with R&D offices across Ukraine. We support innovators by protecting innovations. Our data security solutions assist businesses of all sizes and industries protecting their sensitive data against external attackers, insider threats, mis-configurations while remaining compliant with regulations.
13 лютого 2024

Junior AppSec Engineer (вакансія неактивна)

Київ, Львів $1500–2300

This vacancy is only for Ukrainian residents within Ukraine.

We are looking for a junior Application Security Engineer. If you are interested in performing security assessments and working hand-in-hand with security engineering and software developers, this may be your position!


  • Perform security assessment and review of code and behaviour of systems (web, API, backends, Linux). Mostly whitebox, occasional blackbox.
  • Perform security search for weaknesses and vulnerabilities in software in novel fields and areas.
  • Participate in SSDLC for our products and our customers’ products. Explain risks & threats, work with developers to select security controls that would improve security without restricting usability/performance.
  • Dive into application security, infrastructure security, cloud and on-prem infrastructures, dedicated hardware, IoT security, ML security, and weird stuff beyond casual imagination with our team of skilled engineers. Check out an example of our work.
  • Stay updated with emerging security threats, vulnerabilities, and controls by reading articles, papers, and NIST guidelines. Follow CVE updates and understand how the threat landscape is changing


  • 1+ years as an application security engineer or similar position.
  • Experience in performing security assessment for web applications and cloud systems.
  • Be familiar with application security verification frameworks: OWASP ASVS.
  • Understanding SSDLC and its difficulties: OWASP SSDLC, NIST SSDF.
  • An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls. How to combine detective, preventive and corrective controls.
  • Experience in popular security tools required for the job, or ability to learn them quickly (Burp Suite, network analysers, various SAST and DAST, dependency and vulnerability scanners).

Nice to have:

  • A certain area of expertise and deep interest in web, mobile, IoT, infrastructure — an area where you have “seen things” and ready to share experience.
  • Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
  • Be familiar with NIST SP 800-53.
  • Be familiar with threat modelling (OWASP threat modelling, STRIDE, MITRE ATT&CK).
  • Practical experience in scripting languages (Python, Bash, or even Javascript (meh)).

Our hiring process:

  • Test task
  • Introduction call
  • Technical interview
  • Offer

What’s in it for you?

  • Competitive compensation with a flexible bonus scheme.
  • Hybrid work model: this position allows for a combination of in-office and remote work as needed.
  • UK, EU and USA clients.
  • Working at the crossroads of ML security, cryptographic protocol support, hardware protection, reverse-resilient mobile app development, and securing web apps for millions of users.
  • You will work with people deeply interested in security engineering, you will learn a lot.
  • Public track record in the open-source aspect of our products.
  • Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops, and blog posts.
  • Paid vacation — 21 business days per year.
  • Paid sick leaves.

Our software is well-known amongst security-aware teams, recommended by OWASP, and popular for easily solving complicated security challenges. Apart from building “off-the-shelf” solutions, we design custom security controls for novel problems. We work in the B2B space, with customers such as power grid operators, payment processors, legal companies, and million-user customer applications. We cater to young ambitious startups and well-established enterprises, that use our software and solutions as a core part of their security arsenal.