Intermediate Application Security Engineer
About ANVIL
ANVIL is a trusted partner in the defence industry, delivering cutting-edge solutions that enhance military capabilities and operational effectiveness. We extend our expertise to public safety, law enforcement, and national security organizations, accelerating mission-critical decision-making through analytical tools, automations, and game-changing machine learning capabilities. ANVIL helps organizations discover, manage, enrich, fuse, and exploit the information available to them in support of Information Dominance and Decision Advantage.
Job Type: Full Time Remote (Hybrid option available for those in the Ottawa area - 55 Murray Street Office)
Total Compensation: CAD $105,000 to $145,000 base salary - Placement within range based on experience and qualifications
Role (Description)
As an Intermediate Application Security Engineer, you will be an active contributor to ANVIL's growing application security program, working under the mentorship of our Senior Application Security Engineer and reporting to the Director of Security Engineering. This is a hands-on, execution-focused role — you will be the person keeping our AppSec tooling running, our vulnerability SLAs on track, and our security gates functioning reliably across the software development lifecycle.
You will operate across a diverse and technically demanding environment: ANVIL's products are primarily deployed in air-gapped, classified customer environments, while our development and demo infrastructure runs on GCP. You will need to be comfortable navigating both Linux and Windows systems and applying sound security judgment in contexts where external connectivity cannot be assumed.
This role is well suited to someone early in their security engineering career who is eager to build depth across application security tooling, vulnerability management, and threat modeling — and who thrives with clear mentorship and real ownership of day-to-day security operations.
We value people who have an ingrained sense of accountability to the team around them. As an ideal candidate, you are technically curious, detail-oriented, and take pride in doing the fundamentals exceptionally well. You ask good questions, follow through on commitments, and communicate clearly when you hit blockers.
This is a full-time position based in Ottawa with up to 25% travel primarily in the National Capital Region. Eligible candidates must either possess or be eligible to obtain a Government of Canada Secret or Top Secret security clearance.
Required Qualifications
Security Clearance
Eligible for Government of Canada Secret or Top Secret security clearance
Education & Experience
-
Bachelor's degree in Software Engineering, Computer Science, Cybersecurity, or a related technical field, or equivalent practical experience
- 2-4 of years of experience in application security, security engineering, or a closely related role
- Hands-on experience operating AppSec tooling such as SAST, DAST, SCA, or container scanning platforms
- Demonstrated experience tracking, triaging, and driving remediation of security vulnerabilities in a development environment
- Familiarity with secure software development practices and at least one SDLC methodology
- Familiarity with Linux and Windows operating environments from a security perspective
- Familiarity with threat modeling methodologies (e.g., STRIDE, PASTA, LINDDUN, or Attack Trees)
- Experience with GCP or equivalent cloud platform for dev/staging environment security
Skills & Competencies
-
Working knowledge of application security principles and common vulnerability classes (OWASP Top 10, SANS CWE)
- Hands-on experience with one or more AppSec tooling categories: SAST, DAST, SCA, container scanning, or secrets detection
- Proven ability to triage vulnerability findings, assess exploitability and risk, and communicate remediation priorities clearly to development teams
- Familiarity with CI/CD pipelines and how security tooling integrates within them (GitLab CI or equivalent)
- Familiarity with threat modeling concepts and a willingness to develop this skill under senior guidance
- Working knowledge of Linux and Windows system internals relevant to security — file permissions, user privilege models, common attack surfaces
- Familiarity with digital forensic investigation concepts, including log analysis, artifact identification, and basic incident triage
- Familiarity with containerization technologies (Docker, Kubernetes) and associated security considerations
- Strong analytical mindset with exceptional attention to detail and ability to manage multiple open findings or workstreams simultaneously
- Clear written and verbal communication skills, with the ability to write concise, actionable vulnerability reports
- Collaborative work style with a willingness to learn from and contribute to a small, high-trust security team
Preferred Qualifications
-
Relevant certifications or coursework (CompTIA Security+, eJPT, CEH, GWEB, or equivalent entry/intermediate security credentials)
- Scripting and automation experience (Python, Go, Bash, Rust, or other)
- Experience with PostgreSQL, OpenSearch, or Elasticsearch from a security or operations perspective
- Experience with vulnerability management platforms or risk registers
- Experience with secret management platforms suited to air-gapped environments (HashiCorp Vault, OpenBoa, or equivalent on-premises solutions)
- Bilingualism French/English
- Experience working in or closely with defence, public safety, or national security organizations
Key Responsibilities
AppSec Tooling & Pipeline Integration
-
Operate and maintain ANVIL's AppSec tooling suite, including SAST, DAST, SCA, container scanning, and secrets detection
- Monitor pipeline security gates and ensure tooling is functioning correctly across active development projects
- Tune and refine scanning rules to reduce false positives and improve signal quality over time
- Support the onboarding of new repositories and services into existing AppSec tooling workflows
- Document tooling configurations, known issues, and operational runbooks to support team continuity
Vulnerability Management & SLA Compliance
-
Triage incoming vulnerability findings from automated scans, penetration tests, and third-party advisories
- Assess exploitability, contextual risk, and business impact to produce clear, prioritized remediation guidance for development teams
- Track open findings against established SLAs, escalating aging or critical issues to the Senior Application Security Engineer as appropriate
- Maintain and report on the vulnerability register, providing regular status updates on remediation progress
- Work collaboratively with development teams to unblock remediation efforts and validate fixes once deployed
Threat Modeling Support
-
Participate in threat modeling sessions alongside the Senior Application Security Engineer, contributing findings and learning structured methodologies (STRIDE, PASTA, or equivalent)
- Assist in documenting threat models, data flow diagrams, and identified risks for new and evolving system architectures
- Help maintain threat libraries and reusable security design pattern documentation as the program matures
- Develop familiarity with ANVIL's architecture and deployment patterns to contribute meaningfully to future threat modeling engagements
Secure SDLC Participation
-
Participate in code reviews and design discussions as a security contributor, flagging concerns and suggesting mitigations
- Support the enforcement of security review gates and assist developers in understanding and resolving security findings
- Help maintain secure coding guidelines and contribute to developer-facing security documentation
- Assist in preparing materials for developer security awareness initiatives under the direction of the Senior Application Security Engineer
Forensics & Incident Support
-
Apply foundational forensic investigation skills to support incident triage, including log analysis, artifact identification, and timeline reconstruction on Linux and Windows systems
- Assist the Director of Security Engineering and the Senior Application Security Engineer in incident response activities, following established procedures for evidence handling and chain-of-custody in classified environments
- Document findings clearly and completely to support post-incident review and lessons-learned processes
Technical Support & Collaboration
-
Participate actively in sprint planning, security reviews, and team stand-ups as a contributing security voice
- Provide security guidance to development teams on day-to-day questions related to vulnerabilities, tooling, and secure coding
- Support on-site customer engagements for software product provisioning and security configuration as needed
Why Join Us?
Our Mission
This is more than just a job; you'll be part of a team of dedicated professionals who share a common goal: to increase the safety and security of Western democracies through the effective use of data. Our workplace is not just a job; it's a community of like-minded people working together to make a positive impact on the world we live in.
Compensation & Benefits
- Competitive salaries
- Flexible health benefits package through Equitable
- Industry-leading employer retirement contributions match
Work Environment
- Hybrid work model combining remote flexibility with meaningful in-person collaboration
- Modern office in the historic Carriageway building in beautiful downtown Ottawa
- Access to downtown amenities, transit, and Ottawa's vibrant cultural scene
What You'll Experience
- Work alongside dedicated professionals who value excellence and collaboration
- Contribute to building the team behind technologies with real-world security impact
- Ground-floor opportunity to shape people operations as ANVIL scales
- Join a culture where your expertise and ideas matter
Use of AI in Recruitment: ANVIL does not use artificial intelligence to screen, assess, or select applicants for this position. All applications are reviewed by members of our recruitment team.
