Role: Application Security SME
Location: 44 King Street West, Scotia Plaza, Toronto
Hiring Mode: 12 Months Contract + Possible Extension
Work Type: Hybrid (3 days/week onsite)
Experience Required: 8+ Years
Pay: CAD 70/Hr.
Role Summary
We are seeking an experienced Application Security SME to lead and strengthen application security across the software development lifecycle. The ideal candidate will have expertise in secure application architecture, secure coding, security testing, DevSecOps, and cloud security. This role requires close collaboration with development, engineering, DevOps, architecture, and risk teams to embed security into modern application environments.
Key Responsibilities
Application Security
- Serve as the Subject Matter Expert (SME) for application security across enterprise applications.
- Define and enhance application security standards, frameworks, and best practices.
- Provide guidance on secure design, secure coding, threat mitigation, and vulnerability management.
- Promote security-by-design principles across application development.
Secure SDLC & DevSecOps
- Drive the implementation and maturity of the Secure Software Development Lifecycle (SSDLC).
- Integrate security controls and testing into CI/CD pipelines.
- Enable automation of application security testing and promote a shift-left security approach.
Architecture & Threat Modeling
- Conduct application architecture and design security reviews.
- Lead threat modeling sessions for web, mobile, API, cloud-native, and microservices applications.
- Review authentication, authorization, session management, data protection, input validation, and API security controls.
- Recommend secure architecture patterns and implementation guidelines.
Security Testing & Vulnerability Management
- Lead or support application security assessments using:
- SAST
- DAST
- Software Composition Analysis (SCA)
API Security Testing
- Manual security reviews and penetration testing coordination
- Analyze and prioritize vulnerabilities based on risk and business impact.
- Partner with development teams to validate remediation and manage third-party/open-source component risks.
Cloud Security & Governance
- Provide security guidance for cloud-native applications, containers, Kubernetes, serverless, and API-based architectures.
- Collaborate with cloud engineering teams to secure workloads on Azure, AWS, or GCP.
- Support compliance with internal policies and industry standards.
- Contribute to audits, risk assessments, security metrics, and reporting.
Required Qualifications
- Bachelor's degree in Computer Science, Information Security, Engineering, or a related field.
- 8+ years of experience in Application Security, Secure Software Engineering, or Cybersecurity Architecture.
- Experience implementing enterprise application security programs.
- Strong knowledge of:
- Secure SDLC / SSDLC
- DevSecOps
- OWASP Top 10
- OWASP API Security Top 10
- Secure coding and common web application vulnerabilities
- Hands-on experience with application security tools, including:
- SAST: Checkmarx, Fortify, Veracode, SonarQube
- DAST: Burp Suite, AppScan, Acunetix
- SCA: Snyk, Black Duck, Mend (WhiteSource)
- Experience with threat modeling methodologies (e.g., STRIDE).
- Strong understanding of authentication, authorization, encryption, secrets management, and secure design principles.
- Experience securing applications on Azure, AWS, or GCP.
- Excellent communication and stakeholder management skills.
Preferred Qualifications
- Experience in Banking, Financial Services, Insurance (BFSI), Healthcare, or Public Sector environments.
- Familiarity with security frameworks such as NIST, ISO 27001, PCI-DSS, SOC 2, and OSFI.
- Experience with CI/CD platforms including Azure DevOps, Jenkins, GitHub Actions, or GitLab.
- Knowledge of container security, Kubernetes security, and cloud workload protection.
- Exposure to red team/blue team collaboration.
Preferred Certifications
- CISSP
- CSSLP
- CISM
- CEH, GWAPT, or OSCP (Nice to Have)
- Azure, AWS, or GCP Cloud Security Certifications
Key Competencies
- Expertise in application security architecture and secure development practices.
- Strong analytical and problem-solving skills.
- Ability to influence cross-functional engineering teams.
- Excellent communication and stakeholder management skills.
- Ability to balance security, business priorities, and delivery timelines.
- Self-driven with the ability to lead strategic application security initiatives.