Application Security Engineer

Job Title: Application Security Engineer
Location: Toronto, ON (Hybrid)
Job Type: Full-time
Work Permit: Canadian Citizen or PR
Position Overview: The application security engineer is responsible for validating that
application services are designed and implemented with high security standards. The role
analyzes the security of applications in tandem with their underlying services, including
connected dependencies such as middle-tier systems and databases. Additionally, the
application security engineer addresses legacy and emerging security issues and implements
repeatable secure development practices to reduce the introduction of program design flaws that
may lead to exploitation. As issues are uncovered, the application security engineer
communicates with the appropriate technical and leadership teams to ensure a focus on risk
mitigation allowing for business continuity, but without negligent risk. Application security
engineers are constantly assessing applications for weaknesses and finding resolutions before
they can be abused.
This position is also responsible for assessing the security of applications for
business-to-business initiatives, third-party relationships, and vendors. Considered a highly
knowledgeable individual, the application security engineer is expected to recommend
programmatic controls and monitor and manage secure development practices to address
modern day issues.
Responsibilities:
Develop secure software development standards and implementation across the product
suite.
Work with development teams to ensure Software Composition Analysis (SCA), Static
Application Security Testing (SAST) and Dynamic Application Security Testing (DAST)
scans are conducted on a defined cadence.
Coordinate external application penetration testing and application vulnerability
assessments.
Ensure software vulnerabilities are tracked, remediated within appropriate timelines and
security exceptions are managed.
Focus on automation to aid in efficiencies with both testing and remediation of findings.
Work in tandem with developers to provide repetitive validation testing prior to production
while allowing for a continuous cycle of development followed by application security
assessments.
Regularly monitor the security community for public-facing security issues, as well as to
learn new tactics that can be used in testing.
Attend and participate in application projects and change management committees. This
includes interacting with product and technical teams to understand what is coming and
how their projects can be more secure from the beginning.

Use security standards and implementation configurations, as well as common security
frameworks.
Align with architects and development teams for a mission of secure design.
Train developers on secure coding practices
Actively participate and lead meetings that facilitate secure design.
Highly engage in information security projects that evaluate existing security
infrastructure and propose changes as defined by security leadership, development
managers and architects.
Focus on application security that observes compliance PCI DSS, SOC2 SSAE18, ISO
27001and global privacy laws.
Work in tandem with architecture, development, product and security team members.
Develop security test plans from architectural design. Identify deficiencies and make
enhancements to ensure production is not impacted.
Perform other duties as assigned by the Chief Information Security Officer.
Job Qualifications:
At least 5+ years experience in cybersecurity, including compliance and risk
management with a system and network security engineering or development
background.
Highly technical and analytical experience, with a proven deep background (preferred 5+
years in addition to cybersecurity) in application programming.
Experience in threat modeling applications.
Application vulnerability and penetration-testing skills is an asset
Excellence in communicating business risk from cybersecurity issues.
Proficiency in software development (Java, Angular, C#, Spring, ASP.net, Python, etc.).
Solid understanding of network and web protocols.
Experience with SCA, SAST and DAST tools; knowledge of the Synopsys tools Coverity,
Black Duck and Tinfoil is an asset.
Understanding of frameworks such as OWASP, BSIMM, SAMM, SABSA, O-ESA etc.
Track record of acting with integrity, taking pride in work, seeking to excel, being curious
and adaptable, and communicating effectively.
Additional Qualifications:
Experience with applications hosted in Amazon Web Services (AWS) or Microsoft Azure.
Experience with cryptography controls and measures to secure applications and data.
Proficiency with scripting in Python, JavaScript, PowerShell or Bash.
DevOps background in public and private clouds.
Experience with one or more of the following: ISO 27001, NIST CSF, PCI DSS, GDPR,
CIS standards or SOC2.
Working knowledge of Windows, Linux and Unix.
Familiarity with privacy laws.

Education Requirements:
Bachelor s degree or college diploma in Computer science, Cybersecurity, Engineering,
Information Technology or related field, or equivalent.
Experience Requirements:
5-7+ years of related experience required
Certification Requirements:
One of CISSP, CSSLP, CISM, OSCP, CEH, SANS GWAPT etc.