Senior IT Security Advisor - Application Security

Location: Hybrid - 3 days in Mississauga Office

Contract to Hire

Job Summary

The Senior IT Security Advisor - Application Security is responsible for leading efforts to identify and mitigate security vulnerabilities within client application portfolio. This role requires a deep understanding of application security, risk management, and the ability to work collaboratively with cross-functional teams to enhance our security posture.

Key Accountabilities

• Integrate security pipelines into the development process, implementing the “Shift-left” and “Fail the Build” methodologies.
• Implement Static Application Security Testing (SAST), Software Composition Analysis (SCA), Dynamic Application Security Testing (DAST), and Penetration Testing (PT) activities.
• Manage and prioritize vulnerabilities, collaborating with IT departments to address them based on risk levels.
• Protect APIs by leveraging technology to understand and mitigate vulnerabilities, including scanning and alerting on API attacks.
• Provide advisory services to new and existing projects and inculcate the Security by Design culture.
• Identify, assess, and document security risks within projects, supporting the definition of strategies to mitigate them effectively to comply with goeasy's security standards.
• Identify security weaknesses, vulnerabilities, and gaps in the existing technology stack and recommend remediation strategies.
• Conduct comprehensive security assessments on large, medium and small initiatives.
• Advise business on information security and privacy matters.
• Evaluate existing security solutions and propose enhancements to streamline our processes.

Expectations

• Solid understanding of web application development.
• Extensive knowledge of the OWASP Top 10 and web application exploitation techniques, and their respective countermeasures.
• Experience implementing ISO 27001/NIST/PCI-DSS controls or performing threat analysis for IT projects along with the App Sec experience ( security scanning/assessments, pentesting).
• Scripting/coding in Java, Python, Javascript, R, Apex, or Go or other languages
• Knowledge and experience with CICD pipelines, DevOps, DevSecOps, and secure code development.
• Experience performing and coordinating security tests: vulnerability scans, web application penetration tests, infrastructure penetration tests, network segmentation tests.
• Proficient in reviewing architecture and solution design documentation to identify and assess potential risks.
• Review Technical Design documents and perform risk assessments to complete Security Design documents.
• Strong experience leading complex projects from start to finish and providing security advise to ensure IT security risks are identified and mitigated.
• Able to reason about security decisions.
• Able to communicate ideas clearly and effectively to both engineers and business teams.
• Excellent relationship with key stakeholders such as IT Infrastructure, Engineering, Application Delivery and support teams, Legal, Human Resources and other corporate teams.
• Coach and mentor developers, engineers and security staff to enhance their efficiency and effectiveness.
• Develop the application security process to it's full potential and to maintain their trajectory to maturity.
• Mature the security in development process.
• Provide leadership in the Application Security domain.
• Maintain assigned Bill 198, SOC2 and PCI DSS Compliance and controls under purview.
• Manage and enhance the security processes and technologies to identify, deter, investigate and remediate security events.
• Manage relationships and negotiate with key vendors.
• Inculcate the Security by Design culture with all IT teams.
• Develop documentation required to support the program's technical issues and training situations.

Qualifications and Skills:

• Minimum bachelor's degree in computer science/information technology or cyber security with preference for Post graduate degree in the same fields.
• Five or more years in any security domain (preferably Application Security/Risk Management).
• Proficiency in security testing tools and methodologies. Experience with Veracode, Tenable, and Azure is highly desirable.
• Prior experience as an Information security architect is a huge asset.
• Experience coding in Java, Python, Javascript, R, Apex, or Go.
• UNIX, BSD or Linux experience: Preferred.
• Azure Data-lakes, Windows SQL and/or PostgreSQL experience is good to have.
• Working experience in a Level 1 PCI DSS and SOC 2 compliant environment is highly desired.
• Experience managing activities in a SOX or Bill 198 compliant environment is preferred
• Knowledge of Canadian privacy laws required; prefer also UK (GDPR) and USA (California).