Senior Application Security Engineer

Senior Application Security Engineer

About ANVIL

ANVIL is a trusted partner in the defence industry, delivering cutting-edge solutions that enhance military capabilities and operational effectiveness. We extend our expertise to public safety, law enforcement, and national security organizations, accelerating mission-critical decision-making through analytical tools, automations, and game-changing machine learning capabilities. ANVIL helps organizations discover, manage, enrich, fuse, and exploit the information available to them in support of Information Dominance and Decision Advantage.

Job Type: Full Time Remote (Hybrid option available for those in the Ottawa area - 55 Murray Street Office)

Total Compensation: CAD $125,000 to $165,000 base salary - Placement within range based on experience and qualifications

Role (Description)

As a Senior Application Security Engineer, you will be a cornerstone of ANVIL's security posture reporting directly to the Director of Security Engineering and playing a key role in building out our application security program from the ground up. You will embed security practices across the software development lifecycle and provide hands-on expertise in threat modeling, penetration testing, and secure deployment architecture. ANVIL's products are primarily deployed in air-gapped, classified environments which means the security decisions you make have real operational weight and must hold up without the safety net of perimeter-based cloud controls. You will work closely with engineering teams to ensure that security is not an afterthought but an intrinsic quality of everything we ship.

Working alongside the Director of Security Engineering, you will help shape AppSec strategy, conduct architecture reviews, perform application and infrastructure penetration testing, and drive the maturation of our secure development practices. You will also serve as a subject-matter expert and trusted advisor for our customers in the defence and national security space organizations where the consequences of a security failure are never abstract.

We value people who have an ingrained sense of accountability to the team around them. As an ideal candidate, you are not only technically qualified but demonstrate a strong work ethic and take pride in your craft. You collaborate and communicate effectively with the other talented and motivated members of our organization translating complex security risks into clear, actionable guidance for both technical and non-technical audiences.

We encourage our employees to expand their horizons by developing new skills, sharing bold ideas, and taking risks. As a senior engineer, you lead by example and provide mentorship to other employees in your field of expertise.

This is a full-time position based in Ottawa with up to 25% travel primarily in the National Capital Region. Eligible candidates must either possess or be eligible to obtain a Government of Canada Secret or Top Secret security clearance.

Required Qualifications

Security Clearance

Eligible for Government of Canada Secret or Top Secret security clearance

Education & Experience

• Bachelor's degree in Software Engineering, Computer Science, Cybersecurity, or a related technical field, or 10+ years of professional software or security engineering experience
• Minimum of 7+ years of experience in application security, penetration testing, or security engineering roles
• A minimum of 3+ years of hands-on experience with threat modeling methodologies (e.g., STRIDE, PASTA, LINDDUN, or Attack Trees)
• A minimum of 3+ years of experience embedding security into CI/CD pipelines and secure SDLC practices
• Demonstrated experience conducting application and infrastructure penetration tests and red team assessments in production or pre-production environments
• Proven experience securing applications and infrastructure in air-gapped, on-premises, or classified deployment environments
• Experience with GCP or equivalent cloud platform for dev/staging environment security

Skills & Competencies

• Expert knowledge of application security principles and secure development practices (OWASP Top 10, SANS CWE, NIST SSDF)
• Expert knowledge of threat modeling techniques and architecture security review practices
• Strong knowledge of penetration testing methodologies for web applications, APIs, and cloud environments
• Strong knowledge of DevSecOps tooling, including SAST, DAST, SCA, container scanning, and secrets detection
• Strong knowledge of security architecture for air-gapped and disconnected environments, including supply chain integrity, offline update mechanisms, and hardened OS/container baselines
• Working knowledge of GCP security controls, IAM, and posture management for dev and demo environment governance
• Strong knowledge of cryptographic protocols, authentication standards (OAuth 2.0, OIDC, SAML), and secure API design
• Experience with container and Kubernetes security hardening
• Familiarity with regulatory and compliance frameworks relevant to defence and public safety environments (e.g., ITSG-33, FedRAMP, SOC 2)
• Strong analytical mindset with exceptional attention to detail
• Excellent verbal and written communication skills, with the ability to clearly articulate risk and remediation strategy to both technical and non-technical audiences
• Demonstrated ability to work collaboratively across development teams and with engineering leadership
• Proven ability to manage multiple concurrent security initiatives and findings remediation programs

Preferred Qualifications

• Relevant security certifications (OSCP, GWAPT, GWEB, CSSLP, CISSP, or equivalent)
• Scripting and automation experience (Python, Go, Bash, Rust, or other)
• Experience with red team tooling and adversary simulation frameworks (Metasploit, Cobalt Strike, Burp Suite Pro, or equivalent)
• Experience with PostgreSQL, OpenSearch, and Elasticsearch security hardening
• Stream processing security experience (Kafka, message brokers)
• Experience with secret management platforms suited to air-gapped environments (HashiCorp Vault, OpenBoa, or equivalent on-premises solutions)
• Bilingualism French/English
• Experience working in or closely with defence, public safety, or national security organizations

Key Responsibilities

Secure SDLC & AppSec Program Ownership

• Assist the Director of Security Engineering in building and maturing ANVIL's application security program across all product lines and delivery mechanisms
• Help define and enforce secure coding standards, security review gates, and developer security training initiatives
• Integrate and maintain AppSec tooling (SAST, DAST, SCA, container scanning, secrets detection) within CI/CD pipelines
• Establish and track security KPIs and provide regular reporting on program health to the Director of Security Engineering
• Advise on and implement DevSecOps best practices across the full platform, ensuring security keeps pace with the speed ofdevelopment

Threat Modeling & Architecture Review

• Lead threat modeling sessions for new and evolving system architectures using structured methodologies (STRIDE, PASTA, LUNDUN or equivalent)
• Perform security architecture reviews at design and code review stages, identifying systemic risks before they reach production
• Develop and maintain reusable threat libraries, security design patterns, and architecture guidance documents
• Collaborate with engineering teams to validate that security controls address identified threats end-to-end
• Partner with engineering leadership to incorporate security requirements into product roadmaps and sprint planning

Penetration Testing & Red Team

• Plan and execute application, API, network, and cloud infrastructure penetration tests against ANVIL products and customer environments
• Produce clear, actionable penetration test reports with risk-rated findings and remediation guidance tailored to the audience
• Manage findings through to remediation, verifying fixes and maintaining an up-to-date risk register
• Simulate adversarial attack scenarios to assess detection and response capabilities and inform defensive improvements
• Stay current with the evolving threat landscape, TTPs, and vulnerability research relevant to ANVIL's operational domains

Deployment & Infrastructure Security

• Define and implement security baselines and hardening standards for air-gapped, on-premises, and appliance-based deployments ANVIL's primary delivery mechanism for production customer environments
• Harden containerized workloads (Docker, Kubernetes) for disconnected operation, including secure image distribution, offline vulnerability scanning, and supply chain integrity controls
• Assess and remediate insecure configurations, excessive permissions, and network exposure risks across all deployment targets
• Maintain GCP security baselines, IAM policies, and posture management controls for ANVIL's internal dev and demo environments
• Collaborate with DevOps and infrastructure teams to ensure security controls are applied consistently and verifiably across all delivery mechanisms cloud, VM, and appliance

Technical Support & Collaboration

• Provide on-site support and security guidance to customers for software product provisioning, security configuration, and incident response
• Participate actively in sprint planning, technical reviews, and architecture discussions as a security voice
• Mentor team members on secure development practices, vulnerability research, and applied security tooling
• Lead by example demonstrating rigor, intellectual curiosity, and accountability in everything you do

Why Join Us?

Our Mission

This is more than just a job; you'll be part of a team of dedicated professionals who share a common goal: to increase the safety and security of Western democracies through the effective use of data. Our workplace is not just a job; it's a community of like-minded people working together to make a positive impact on the world we live in.

Compensation & Benefits

• Competitive salaries
• Flexible health benefits package through Equitable
• Industry-leading employer retirement contributions match

Work Environment

• Hybrid work model combining remote flexibility with meaningful in-person collaboration
• Modern office in the historic Carriageway building in beautiful downtown Ottawa
• Access to downtown amenities, transit, and Ottawa's vibrant cultural scene

What You'll Experience

• Work alongside dedicated professionals who value excellence and collaboration
• Contribute to building the team behind technologies with real-world security impact
• Ground-floor opportunity to shape people operations as ANVIL scales
• Join a culture where your expertise and ideas matter

Use of AI in Recruitment: ANVIL does not use artificial intelligence to screen, assess, or select applicants for this position. All applications are reviewed by members of our recruitment team.