Security Engineer, Application Security

About The Position

Requirements

• Bachelor’s degree in Technology, Engineering, Computer Science, or a related field
• A minimum of 5 years of experience in progressively senior technical roles with responsibility focused on information security processes, products, and projects
• Very strong knowledge in engineering secure systems
• Experience with securing cloud environments (MS Azure)
• Must have excellent documentation, customer-service, listening, communication and problem-solving skills
• Must be able to implement programs, security technologies and solutions to measure and sustain the security posture of large, complex environments
• Professional certifications such as Global Information Assurance Certification (GIAC), Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Certified Information Security Manager (CISM) or equivalent experience is essential
• Must have some combination of strong hands-on experience with at minimum 4 or 5 of the following skills or technologies: Identity and access management systems for hybrid environments, Secure coding practices, Systems engineering, Ethical vulnerability research and threat modeling, Windows, UNIX, and Linux operating systems security, virtualization technology security, container security and serverless computing security, Privileged access management systems for hybrid environments, EDR and/or other endpoint protection technologies, Zero Trust system design, Cloud Native Application Protection Platform (CNAPP) systems, Secure application design principles, Data Classification and DLP solutions, Enterprise vulnerability management, including vulnerability assessment, remediation, and reporting, Phishing and social engineering
• Experience with application security testing tools including Static analysis/SAST, Dynamic analysis/DAST, IAST, and Software Composition Analysis (SCA)
• Knowledge of secure API design, authentication patterns (OAuth 2.0, OpenID Connect), and API gateway security
• Experience with Infrastructure as Code (IaC) security scanning (Terraform, ARM templates, CloudFormation)
• Proficiency in programming languages such as Python, JavaScript/TypeScript, Java, C#, or Go
• Knowledge of AI/ML application security considerations, including prompt injection prevention and model security

Nice To Haves

• Experience with Agile methods (Scrum) and DevOps practices is an asset
• Professional certifications such as GWAPT, GWEB, CSSLP, CEH, OSWE, or equivalent experience is an asset

Responsibilities

• Development of new and innovative ways to solve existing production security issues as well as evaluate new technologies and processes that enhance security capabilities
• Develops technical security requirements for new products, tools and services envisioned for implementation at BCI
• Help and guide projects during solution design phase
• Collaborates and coordinates with application, operations, and product teams to provide guidance on the development of secure product designs that meet security requirements
• Ability to communicate complex security issues and develop security user stories in language that non-technical stake holders can understand
• Ability to respond to information security issues at each stage of a project’s lifecycle
• Proactively identifies risks and issues and proposes solutions to remove barriers
• Undertakes special projects or assignments as required
• Ability to document designs as well as produce technical reports in support of security initiatives
• Consults on designs, implementations, and maintenance of DevSecOps pipelines that integrate security testing (SAST, DAST, SCA) into CI/CD workflows
• Works with DevSecOps to develop and maintain secure coding standards, guidelines, and training materials for development teams
• Conducts application security assessments, threat modeling sessions, and architecture reviews for new and existing applications
• Champions security culture by embedding into Agile development teams as a security subject matter expert
• Triages and prioritizes application security vulnerabilities, working with development teams on remediation strategies
• Develops and maintains security testing automation to enable continuous assurance of application security posture
• Monitors emerging application security threats, vulnerabilities, and attack techniques to proactively address risks
• Leads and completes security risk reviews on software, SaaS, third party and written code
• Monitors emerging AI and ML security threats, vulnerabilities and attack techniques and proposes new solutions to emergent risks in these areas
• Performs other related duties as required

Benefits

• comprehensive health & dental benefits
• a defined benefit pension plan
• paid time off