Application Security Analyst

407 ETRVaughan, ON
CA$95,000 - CA$115,000Onsite

About The Position

As an Application Security Analyst, you will be responsible for supporting and operating core security capabilities across 407 ETR’s digital environment, with a primary focus on application security. This includes promoting secure-by-design practices throughout the SDLC and supporting the integration and operation of security tooling and automation, such as SAST, DAST, SCA, ASPM, and penetration testing services. You will work closely with Architecture, DevOps, QA, Product teams, and external partners to embed security controls into requirements, design, development, testing, and release activities, and track and manage security vulnerabilities through remediation. This role also contributes to improving the overall cyber and technology risk posture, with measurable improvements reflected in the Technology and Cyber Risk Indices (TRI/SRI). Hours of work are onsite, Monday to Friday, 7.5 hours daily, or as required. After-hours support and on-call duties may be required for priority releases or security incidents.

Requirements

  • Minimum 5+ years of experience in IT Security, with strong hands-on experience in Security Operations.
  • College Diploma or University Degree in Computer Science, Engineering, or related field.
  • EDR platforms (e.g., endpoint containment, alert triage, investigation).
  • NDR technologies and network-based threat detection.
  • Security Incident Response and Investigation.
  • Strong understanding of attacker techniques and defensive controls (MITRE ATT&CK).
  • Experience working in regulated or audit-driven environments.
  • Strong understanding of authentication, authorization, MFA, RBAC, and privileged access concepts.
  • SSO Authentication: Experience implementing and supporting SSO solutions for secure user access across enterprise applications.
  • Experience with Data Loss Prevention (DLP) technologies and controls, including policy configuration, monitoring, and incident investigation, is required

Nice To Haves

  • Knowledge of standing up a mature Application Security framework
  • Experience with enterprise SOC tooling including SIEM, EDR, NDR, SOAR.
  • Experience operating security controls in hybrid (on‑prem and cloud) environments.
  • Familiarity with Security Risk Index (SRI), cyber risk metrics, or risk-based reporting.
  • Knowledge of network architecture and segmentation concepts.
  • Experience with Single Sign-On (SSO) integrations and identity federation protocols is an asset.

Responsibilities

  • Embed security requirements and non‑functional controls into epics, features, and user stories; maintain security traceability throughout the lifecycle.
  • Lead threat modeling at design time for new and changed services (web, mobile, APIs, microservices) and ensure mitigations are implemented prior to coding.
  • Define and operate SDLC security gates (pre‑commit, build, test, deployment) with policy‑driven thresholds (e.g., fail on Critical/High) and exceptions governance.
  • Implement and tune SAST, DAST, SCA and ASPM integrations within CI/CD, ensuring coverage, accuracy, and developer‑friendly feedback loops; coordinate PTaaS cycles aligned to release schedules
  • Partner with DevOps to secure build pipelines, artifacts, and environments (e.g., IaC scanning, container image hardening, secrets management, SBOM generation and validation)
  • Work with platform teams to evolve pipelines consistent with the 407 ETR DevOps framework and future‑state CI/CD models
  • Operate a unified findings intake (ASPM as system of record) for automated tool outputs and manual assessments; triage, prioritize, and track remediation to closure
  • Apply a risk‑based SLA model (severity, exploitability, asset criticality) and escalate overdue items; publish weekly triage outcomes and monthly KPIs.
  • Report AppSec posture using TRI/SRI aligned metrics (e.g., unresolved criticals, mean‑time‑to‑remediate, coverage, policy conformance)
  • Provide secure coding guidance, sample patterns, and remediation support for developers; deliver targeted training and office hours
  • Collaborate on architecture reviews, pen‑test scoping, and change risk assessments for web and mobile (using established change‑type workflow)
  • Contribute to AppSec policies/standards and improve documentation (playbooks, runbooks, “definition of done” security criteria)
  • Ensure controls align with PCI DSS Secure SDLC, ISO 27001/27002, and NIST DevSecOps guidance (e.g., SP 800‑204D); support internal/external audits and evidence collection
  • Manage AppSec vendor relationships and deliverables per the Application Security Managed Service scope (ASPM, PTaaS, continuous monitoring)
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service