Application Security SME – DevSecOps, OWASP, API Security, Checkmarx, Fortify
44 king scotia plaza, Toronto ON – 3Days onsite
12 Months Contract
Key Responsibilities
Application Security Strategy & Advisory
- Act as the Subject Matter Expert (SME) for application security across enterprise platforms and development teams
- Define and enhance the organization’s application security strategy, standards, and control frameworks
- Provide expert guidance on secure design, secure coding, threat mitigation, and vulnerability management
- Partner with engineering and architecture teams to embed security-by-design principles into applications and digital initiatives
Secure SDLC / DevSecOps Enablement
- Drive implementation and maturity of the Secure Software Development Lifecycle (SSDLC)
- Integrate security controls and testing into CI/CD pipelines and DevSecOps workflows
- Enable use of security tools and automation across build and release processes
- Promote a shift-left security approach to detect and remediate issues early in the development lifecycle
Architecture Reviews & Threat Modeling
- Perform application architecture and design reviews to identify security risks and recommend remediation strategies
- Lead threat modeling sessions for web, mobile, API, and cloud-native applications
- Review application components for vulnerabilities related to authentication, authorization, session management, input validation, data protection, and API security
- Recommend secure reference architectures, reusable security patterns, and implementation guardrails
Security Testing & Vulnerability Management
Lead or support application security assessments, including:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Software Composition Analysis (SCA)
- API Security Testing
- Manual security reviews and penetration testing coordination
- Analyze, triage, and prioritize vulnerabilities based on risk and business impact
- Work closely with development teams to track remediation and validate closure of security issues
- Support secure management of open-source components and third-party libraries
- Cloud & Modern Application Security
Provide security guidance for modern application environments, including:
- Microservices and APIs
- Containers and Kubernetes
- Cloud-native applications
- Serverless and event-driven architectures
- Collaborate with cloud and platform engineering teams to secure application workloads in Azure, AWS, or GCP
Compliance, Governance & Risk
- Ensure application security practices align with internal security policies and external standards/regulations
- Support compliance requirements related to secure development and application security controls
- Contribute to audit responses, control evidence collection, and security risk assessments
- Develop security metrics, dashboards, and reporting to track application security posture and control effectiveness
Required Qualifications
- Bachelor’s degree in Computer Science, Information Security, Engineering, or related field
- 8+ years of experience in application security, secure software engineering, cybersecurity architecture, or related roles
- Proven experience implementing and managing application security programs in enterprise environments
Strong understanding of:
- Secure SDLC / SSDLC
- DevSecOps principles
- OWASP Top 10
- API Security Top 10
- Common software and web application vulnerabilities
- Hands-on experience with application security testing tools such as:
- SAST: Checkmarx, Fortify, Veracode, SonarQube
- DAST: Burp Suite, AppScan, Acunetix
- SCA: Snyk, Black Duck, Mend/WhiteSource
- Experience in threat modeling methodologies (e.g., STRIDE)
- Strong knowledge of authentication, authorization, encryption, secrets management, and secure design principles
- Experience working with cloud platforms such as Azure, AWS, or GCP
- Strong verbal and written communication skills with ability to work across technical and non-technical stakeholders
Preferred Qualifications
- Experience in highly regulated industries such as Banking, Financial Services, Insurance (BFSI), healthcare, or public sector
- Familiarity with security requirements related to standards/frameworks such as:
- NIST
- ISO 27001
- PCI-DSS
- SOC 2
- OSFI guidance (for Canada-based roles)
- Experience with CI/CD platforms such as Azure DevOps, Jenkins, GitHub Actions, or GitLab
- Exposure to container security, Kubernetes security, and cloud workload protection
- Familiarity with red team / blue team collaboration for application-layer attack simulation and response readiness
Preferred Certifications
- CISSP
- CSSLP
- CISM
- CEH / GWAPT / OSCP (nice to have)
- Cloud Security certifications (Azure / AWS / GCP)
Key Skills & Competencies
- Deep expertise in application security architecture and secure development practices
- Strong analytical and problem-solving capabilities
- Ability to influence and partner with engineering teams in a collaborative manner
- Excellent stakeholder management and communication skills
- Strong understanding of balancing security, agility, and business priorities
- Ability to work independently and lead strategic application security initiatives
Pay: $75.00-$80.00 per hour
Work Location: Hybrid remote in Toronto, ON (Toronto District)