Tile: Threat Modeling Security Engineer - Information Security II

Location: Toronto, ON - Canada M2J 5C2; hybrid role 2-3 days per week

Start Date: ASAP

Duration: 12 Months - likely to extend contract

Minimum Requirements:

- Bachelor's Degree in Computer Science, Information Systems, Business Administration or other related field

- Certification may be required for specific functions

- 3+ years of information security experience

- Experience with gathering functional requirements, deployment of information security tools, and data analysis

- In-depth experience with desktop software and office automation tools

- Experience with information security risk management and process improvement

Preferred Qualifications

- Experience with threat modeling frameworks, attack vectors and vulnerability analysis: CAPEC, ATT&CK, STRIDE.

- Experience with application security controls (Web, API, Mobile, AI).

- Experience with common information security management and application frameworks: NIST 800-53, CSF, OWASP ASVS.

- Experience with Application Security design and DevSecOps

- Full stack knowledge of application architectures including: Single Page Applications, REST APIs, SOAP APIs, Mobile Applications.

- Experience with Java, Javascript and mobile application development.

- Knowledge or familiarity with database architectures including Oracle, SQL, DB2 and NoSQL Databases

- Experience with Cloud security, architecture, design, implementation, and operations

- Exposure to IAM Controls (OAuth 2.0, OIDC, JWT)

- Strong familiarity with Cryptography Controls (Data at rest, in motion).

- Certifications: CISSP, CISM, CSSLP, CISA, CRISC, OSCP

Job Description:

- Conducts security risk assessments of applications with respect to design and implementation of system and application code

- Develop and manage security governance processes and procedures for the threat modeling program and application security design & devsecops programs.

- Assist in the development of threat modeling governance documentation.

- Works with information security leadership to develop strategies and plans to enforce threat modeling and address identified control gaps.

- Develops reports for management concerning residual risk and non-compliance.

- Monitor and track compliance with application owners to ensure implementation of security controls as planned.

- Review issued security controls with application owners to ensure identified requirements are implemented.

- Validate implementation of security controls against outputs of scanning tools to enable auditability and verifiability.

- Assist application owners in filing appropriate security standard exceptions as identified through threat modeling.

- Develop, Maintain, update and enhance secure design patterns and secure coding standards.

- Develop, Maintain, update and enhance threat libraries.

- Socialize secure design patterns and secure coding standards with engineering teams.

- Assist application teams with threat modeling consultancy questions.

- Consistently enable strong developer and customer experience when liaising with application teams. Uphold Blue Box values when liaising with application teams.

- Develop innovative attack techniques to foil protective design and in-place mitigations.

- Participate in the development of strategies for information security processes and programs.

- Support the investment decision process by developing business cases and cost benefit analysis

- Create reports and other materials to assist in prioritizing activities related to various threats to applications.

- Recommend resource types and skillsets required to resolve project and process issues.

- Document current and desired future state capabilities, incorporating industry leading technologies that enhance AXP's ability to manage IT risk and protect data

- Provide ongoing awareness and education of industry efforts and statistics relevant to information security.

- Develop and define IT and information security standardized metrics and criteria.

- Facilitates improvement solutions by working with all levels across Technology to determine security technology solutions that align with business strategies, IT strategic directions and compliance obligations.

- Facilitates Agile events that help the team deliver value incrementally and iteratively

- Supports the Program Increment (PI) execution through facilitating team level events and partners with the RTE.

- Supports the team in achieving the PI objectives.

- Provides consultation and advice to assess information security risks and mitigate controls to protect corporate intellectual capital, and other sensitive data.