Security Engineer (DevSecOps)
About the role
Job Description:
Security Engineer
Compensation: The expected salary range for this role is between $135,000 and $150,000, depending on experience and qualifications.
Reason for Opening: Net New position
AI is not used to screen, assess, or select applicants for this role.
The Company
Constellation Payment Processing is a modern Payment Facilitator (PayFac) empowering SaaS businesses to grow revenue through seamless, embedded payments. As part of Constellation Software Inc. (TSE:CSU) — a global Canadian-based software leader at a $96B market cap and the 7th largest software company in the world — we combine the agility of a specialized payments company with the strength and stability of an established global powerhouse.
We are building a cloud-native PayFac platform on AWS: microservices (DDD) across TypeScript/JavaScript, Java, and Ruby, with a ReactJS front end. As our Security Engineer,
you will co-own the DevSecOps program—driving continuous security automation,
compliance automation, and penetration testing. You will design and orchestrate SAST/SCA/DAST across our services, champion remediation practices, and partner closely with our compliance team to translate control objectives into repeatable, automated evidence.
Our customers are ISV vendors who embed payments by integrating with our APIs, SDKs,
and webhooks. That means security and compliance aren’t afterthoughts—they are product
features. You will ensure our developer-facing surface area is secure by default:
establishing standards for authentication and authorization (OIDC/OAuth2/JWT, mTLS/JWS for webhooks), key and secret management, request signing, idempotency, rate-limiting/abuse controls, and secure data handling that minimizes PCI scope for ISVs (tokenization, hosted fields/iframes, PAN vault boundaries, network tokens).
You will create secure integration patterns (reference apps, checklists, threat models/DFDs) so partners can implement quickly without compromising controls.
Because we operate a multi-tenant PayFac, you will harden isolation boundaries (network,
identity, and data), lead supply-chain security (SBOMs, signing/provenance, gated
deployments), and build continuous evidence for PCI DSS 4.0 (and SOC 2/ISO as
needed).
You will collaborate with partner security and compliance teams on due-diligence
requests (SIG Lite, AOC/ROCs, shared-responsibility matrices), and you will own pre-launch
security reviews for new ISV integrations. You will also help run incident response drills and
define partner-facing comms and SLAs for security events.
Finally, you will research and implement AI-assisted security (triage, anomaly detection,
auto-remediation PRs) with appropriate guardrails, and own KPIs that demonstrate
multiplier effects—e.g., reduced MTTR, lower false-positive rates, higher auto-triage
coverage, and faster time-to-evidence—so our platform’s security posture continuously
improves as our ISV ecosystem scales.
What You will Do
- Own Security Automation
o Design, implement, and run the CI/CD security toolchain: SAST, SCA, DAST,
container and IaC scanning, secrets detection, SBOM generation, and
policy-as-code.
o Integrate scanners into GitHub/GitHub Actions pipelines with PR gates, and
auto-ticketing to JIRA; tune noise, baselines, and break-glass rules.
o Establish vulnerability management SLAs, risk acceptance workflow, and
metrics dashboards (e.g., MTTR, vuln burn-down).
- Embed Security in the SDLC
o Create lightweight secure-coding standards and review checklists for
TypeScript/Node, Java, Ruby, React.
o Run threat modeling (STRIDE/PASTA) and produce DFDs (L0–L2) for new and
high-risk flows.
o Lead a “security champions” program with engineering squads.
- Platform & Cloud Security (AWS/EKS)
o Harden EKS workloads (admission controls, pod security, image signing,
runtime protection), ECR scanning, and supply-chain security.
o Implement and iterate on IAM least-privilege, KMS/CloudHSM key
management, network segmentation, WAF/Shield, CloudFront, GuardDuty/Security Hub, and centralized logging.
o Validate service-to-service auth (mTLS, OIDC, JWT), secrets management
(AWS Secrets Manager/SSM), and data protection at rest/in transit (FIPSvalidated
crypto).
o Manage security certificate adoption our own and 3rd party across the company technology stack.
- Compliance Automation
o Map controls and automate evidence for PCI DSS 4.0 (and SOC 2/ISO 27001 as needed): continuous monitoring, detector-to-control mappings, and audit-ready artifacts.
o Partner with compliance on policies, risk register, third-party/vendor assessments, and control testing cadence.
- Penetration Testing & Response
o Scope and coordinate internal and third-party penetration tests (API, web, mobile, cloud); plan fix-verification and retests.
o Contribute to incident response playbooks, tabletop exercises, and forensics runbooks.
o Participate in incident response events and be a key contributor on improving security posture
- Research & implement AI security tools:
o Evaluate and deploy AI/ML capabilities (LLM-assisted code reviews, AI triage for SAST/SCA/DAST, anomaly detection over logs/telemetry, drift detection) to reduce toil and increase signal quality—without leaking sensitive code or data.
- Own outcomes & KPIs:
o Define baselines, instrument dashboards, and continuously tune models/policies to demonstrably improve detection efficacy, remediation speed, and compliance evidence quality.
- Guardrails & governance:
o Establish safe-use patterns (PII redaction, repository allowlists, prompt/content controls, human-in-the-loop), document model/feature risks, and keep audit trails that map to PCI DSS 4.0 controls.
- Automation & SOAR integration:
o Orchestrate AI-assisted enrichment and response (e.g., auto-labeling, deduplication, prioritization, suggested fixes/PRs) across CI/CD, SIEM, ticketing, and chat.
KPIs You will Own
- MTTR for high-severity vulns/incidents: 40–60% vs. baseline within 2–3 quarters.
- Alert noise reduction (precision/FP rate): 50% reduction in false positives on gated scans and detections.
- Auto-triage coverage: 70% of scanner findings enriched and prioritized by AI with reviewer acceptance 90%.
- AI-generated remediation PRs: 30% of low/medium issues fixed via assisted PRs passing CI policy.
- Time-to-evidence (PCI 4.0 controls): 50% for recurring audits via automated control artifacts.
- Signed-off service coverage: 90% of services covered by AI-backed detections and scan triage.
What You will Bring
- 8–10 years in application/cloud security or DevSecOps for high-availability platforms (fintech/payments ideal).
- Hands-on DevSecOps program administration experience with Veracode.
- Fluent in Terraform for the AWS Stack
- Strong CI/CD experience (GitHub Actions preferred) and automation in Python/TypeScript/Bash.
- Solid AWS security fundamentals: IAM, KMS, CloudTrail, Config, Security Hub, GuardDuty, VPC/LBs, WAF/Shield; Kubernetes/EKS hardening experience.
- Familiarity with microservices, event-driven systems, and DDD; ability to read code in TypeScript/Java/Ruby and basic ReactJS patterns.
- Working knowledge of PCI DSS 4.0 control objectives (tokenization/PAN handling, key management, segmentation, logging/retention), plus SOC 2/ISO 27001 concepts.
- Clear communication with engineers and non-technical stakeholders; bias to
automate and simplify.
- Bonus Point: Payments domain exposure: EMV/3DS, PAN vaulting, network tokenization, P2PE, dispute/chargeback flows.
How We will Measure Success
- 90 days: Security scans embedded in CI for core services with actionable findings; baseline metrics and SLAs defined; initial PCI 4.0 control mappings complete.
- 6 months: False-positive rate <10% on gating scans; P1/P2 MTTR within SLA; SBOMs & dependency policies enforced; security champions running.
- 12 months: Compliance evidence automation covers priority controls; successful third-party penetration test with timely remediation; measurable reduction in highrisk vulns and misconfigurations.
Team & Reporting
This role sits in the CTO organization (Engineering/Platform) and partners daily with
compliance, DevOps/SRE, Backend/Frontend teams, and Product.
Our Stack (you don’t need all of these)
AWS (EKS, ECR, KMS, CloudHSM, WAF/Shield, CloudFront, GuardDuty, Security Hub,
CloudWatch), GitHub/GitHub Actions, Terraform, Node/TypeScript, Java, Ruby, React,
Kafka, MongoDB, Postgres, Redis, Veracode, OWASP ZAP/Burp, AI Tools in Microsoft
Teams, JIRA, Development IDEs (Amazon Q, Cursor, Claude Code)
Business Unit:
Jonas Financial services - Canada
Scheduled Weekly Hours:
37.5
Number of Openings Available:
1
Worker Type:
Regular
More About Jonas Software:
Jonas Software is the leading provider of enterprise management software solutions to the Country and Golf Clubs, Foodservice, Construction, Fitness & Sports, Attractions, Salon & Spa, Education, Radiology/Laboratory Information Systems, and Product Licensing industries. Within these vertical markets, Jonas is made up of over 65 distinct brands, which are respected and leaders within their own domain.
Jonas’ vision is to be the branded global leader across the aforementioned vertical markets and to be recognized by customers and respective industry stakeholders as the trusted provider of ‘Software for Life’ and as an ambassador for technology, product innovation, quality, and customer service.
Jonas Software is the valued technology partner of over 60,000 customers worldwide in more than 30 countries. Jonas employs over 2,000 skilled individuals consisting of a cross-section of industry experts and technology professionals. Jonas is headquartered in Canada and also operates offices throughout North America, the United Kingdom, Europe, Australia New Zealand and Africa. Jonas is a 100% owned subsidiary of Constellation Software Inc., headquartered in Toronto and traded on the S&P/TSX 60.
About Jonas Software
Jonas Software is the leading provider of enterprise management software solutions to over 40 different vertical markets. Within these vertical markets, Jonas has acquired over 160 unique and innovative companies.
Jonas’ vision is to be the branded global leader across the 40+ vertical markets and to be recognized by customers and respective industry stakeholders as the trusted provider of ‘Software for Life’ and as an ambassador for technology, product innovation, quality, and customer service.
Jonas Software is the valued technology partner of over 40,000 customers worldwide in more than 30 countries. Jonas employs over 3,500 skilled individuals consisting of a cross-section of industry experts and technology professionals. Jonas is headquartered in Canada and also operates offices throughout North America, the United Kingdom, Europe, Australia, South America and Africa. Jonas is a 100% owned subsidiary of Constellation Software Inc., headquartered in Toronto and traded on the TSX (CSU.TO).
Security Engineer (DevSecOps)
About the role
Job Description:
Security Engineer
Compensation: The expected salary range for this role is between $135,000 and $150,000, depending on experience and qualifications.
Reason for Opening: Net New position
AI is not used to screen, assess, or select applicants for this role.
The Company
Constellation Payment Processing is a modern Payment Facilitator (PayFac) empowering SaaS businesses to grow revenue through seamless, embedded payments. As part of Constellation Software Inc. (TSE:CSU) — a global Canadian-based software leader at a $96B market cap and the 7th largest software company in the world — we combine the agility of a specialized payments company with the strength and stability of an established global powerhouse.
We are building a cloud-native PayFac platform on AWS: microservices (DDD) across TypeScript/JavaScript, Java, and Ruby, with a ReactJS front end. As our Security Engineer,
you will co-own the DevSecOps program—driving continuous security automation,
compliance automation, and penetration testing. You will design and orchestrate SAST/SCA/DAST across our services, champion remediation practices, and partner closely with our compliance team to translate control objectives into repeatable, automated evidence.
Our customers are ISV vendors who embed payments by integrating with our APIs, SDKs,
and webhooks. That means security and compliance aren’t afterthoughts—they are product
features. You will ensure our developer-facing surface area is secure by default:
establishing standards for authentication and authorization (OIDC/OAuth2/JWT, mTLS/JWS for webhooks), key and secret management, request signing, idempotency, rate-limiting/abuse controls, and secure data handling that minimizes PCI scope for ISVs (tokenization, hosted fields/iframes, PAN vault boundaries, network tokens).
You will create secure integration patterns (reference apps, checklists, threat models/DFDs) so partners can implement quickly without compromising controls.
Because we operate a multi-tenant PayFac, you will harden isolation boundaries (network,
identity, and data), lead supply-chain security (SBOMs, signing/provenance, gated
deployments), and build continuous evidence for PCI DSS 4.0 (and SOC 2/ISO as
needed).
You will collaborate with partner security and compliance teams on due-diligence
requests (SIG Lite, AOC/ROCs, shared-responsibility matrices), and you will own pre-launch
security reviews for new ISV integrations. You will also help run incident response drills and
define partner-facing comms and SLAs for security events.
Finally, you will research and implement AI-assisted security (triage, anomaly detection,
auto-remediation PRs) with appropriate guardrails, and own KPIs that demonstrate
multiplier effects—e.g., reduced MTTR, lower false-positive rates, higher auto-triage
coverage, and faster time-to-evidence—so our platform’s security posture continuously
improves as our ISV ecosystem scales.
What You will Do
- Own Security Automation
o Design, implement, and run the CI/CD security toolchain: SAST, SCA, DAST,
container and IaC scanning, secrets detection, SBOM generation, and
policy-as-code.
o Integrate scanners into GitHub/GitHub Actions pipelines with PR gates, and
auto-ticketing to JIRA; tune noise, baselines, and break-glass rules.
o Establish vulnerability management SLAs, risk acceptance workflow, and
metrics dashboards (e.g., MTTR, vuln burn-down).
- Embed Security in the SDLC
o Create lightweight secure-coding standards and review checklists for
TypeScript/Node, Java, Ruby, React.
o Run threat modeling (STRIDE/PASTA) and produce DFDs (L0–L2) for new and
high-risk flows.
o Lead a “security champions” program with engineering squads.
- Platform & Cloud Security (AWS/EKS)
o Harden EKS workloads (admission controls, pod security, image signing,
runtime protection), ECR scanning, and supply-chain security.
o Implement and iterate on IAM least-privilege, KMS/CloudHSM key
management, network segmentation, WAF/Shield, CloudFront, GuardDuty/Security Hub, and centralized logging.
o Validate service-to-service auth (mTLS, OIDC, JWT), secrets management
(AWS Secrets Manager/SSM), and data protection at rest/in transit (FIPSvalidated
crypto).
o Manage security certificate adoption our own and 3rd party across the company technology stack.
- Compliance Automation
o Map controls and automate evidence for PCI DSS 4.0 (and SOC 2/ISO 27001 as needed): continuous monitoring, detector-to-control mappings, and audit-ready artifacts.
o Partner with compliance on policies, risk register, third-party/vendor assessments, and control testing cadence.
- Penetration Testing & Response
o Scope and coordinate internal and third-party penetration tests (API, web, mobile, cloud); plan fix-verification and retests.
o Contribute to incident response playbooks, tabletop exercises, and forensics runbooks.
o Participate in incident response events and be a key contributor on improving security posture
- Research & implement AI security tools:
o Evaluate and deploy AI/ML capabilities (LLM-assisted code reviews, AI triage for SAST/SCA/DAST, anomaly detection over logs/telemetry, drift detection) to reduce toil and increase signal quality—without leaking sensitive code or data.
- Own outcomes & KPIs:
o Define baselines, instrument dashboards, and continuously tune models/policies to demonstrably improve detection efficacy, remediation speed, and compliance evidence quality.
- Guardrails & governance:
o Establish safe-use patterns (PII redaction, repository allowlists, prompt/content controls, human-in-the-loop), document model/feature risks, and keep audit trails that map to PCI DSS 4.0 controls.
- Automation & SOAR integration:
o Orchestrate AI-assisted enrichment and response (e.g., auto-labeling, deduplication, prioritization, suggested fixes/PRs) across CI/CD, SIEM, ticketing, and chat.
KPIs You will Own
- MTTR for high-severity vulns/incidents: 40–60% vs. baseline within 2–3 quarters.
- Alert noise reduction (precision/FP rate): 50% reduction in false positives on gated scans and detections.
- Auto-triage coverage: 70% of scanner findings enriched and prioritized by AI with reviewer acceptance 90%.
- AI-generated remediation PRs: 30% of low/medium issues fixed via assisted PRs passing CI policy.
- Time-to-evidence (PCI 4.0 controls): 50% for recurring audits via automated control artifacts.
- Signed-off service coverage: 90% of services covered by AI-backed detections and scan triage.
What You will Bring
- 8–10 years in application/cloud security or DevSecOps for high-availability platforms (fintech/payments ideal).
- Hands-on DevSecOps program administration experience with Veracode.
- Fluent in Terraform for the AWS Stack
- Strong CI/CD experience (GitHub Actions preferred) and automation in Python/TypeScript/Bash.
- Solid AWS security fundamentals: IAM, KMS, CloudTrail, Config, Security Hub, GuardDuty, VPC/LBs, WAF/Shield; Kubernetes/EKS hardening experience.
- Familiarity with microservices, event-driven systems, and DDD; ability to read code in TypeScript/Java/Ruby and basic ReactJS patterns.
- Working knowledge of PCI DSS 4.0 control objectives (tokenization/PAN handling, key management, segmentation, logging/retention), plus SOC 2/ISO 27001 concepts.
- Clear communication with engineers and non-technical stakeholders; bias to
automate and simplify.
- Bonus Point: Payments domain exposure: EMV/3DS, PAN vaulting, network tokenization, P2PE, dispute/chargeback flows.
How We will Measure Success
- 90 days: Security scans embedded in CI for core services with actionable findings; baseline metrics and SLAs defined; initial PCI 4.0 control mappings complete.
- 6 months: False-positive rate <10% on gating scans; P1/P2 MTTR within SLA; SBOMs & dependency policies enforced; security champions running.
- 12 months: Compliance evidence automation covers priority controls; successful third-party penetration test with timely remediation; measurable reduction in highrisk vulns and misconfigurations.
Team & Reporting
This role sits in the CTO organization (Engineering/Platform) and partners daily with
compliance, DevOps/SRE, Backend/Frontend teams, and Product.
Our Stack (you don’t need all of these)
AWS (EKS, ECR, KMS, CloudHSM, WAF/Shield, CloudFront, GuardDuty, Security Hub,
CloudWatch), GitHub/GitHub Actions, Terraform, Node/TypeScript, Java, Ruby, React,
Kafka, MongoDB, Postgres, Redis, Veracode, OWASP ZAP/Burp, AI Tools in Microsoft
Teams, JIRA, Development IDEs (Amazon Q, Cursor, Claude Code)
Business Unit:
Jonas Financial services - Canada
Scheduled Weekly Hours:
37.5
Number of Openings Available:
1
Worker Type:
Regular
More About Jonas Software:
Jonas Software is the leading provider of enterprise management software solutions to the Country and Golf Clubs, Foodservice, Construction, Fitness & Sports, Attractions, Salon & Spa, Education, Radiology/Laboratory Information Systems, and Product Licensing industries. Within these vertical markets, Jonas is made up of over 65 distinct brands, which are respected and leaders within their own domain.
Jonas’ vision is to be the branded global leader across the aforementioned vertical markets and to be recognized by customers and respective industry stakeholders as the trusted provider of ‘Software for Life’ and as an ambassador for technology, product innovation, quality, and customer service.
Jonas Software is the valued technology partner of over 60,000 customers worldwide in more than 30 countries. Jonas employs over 2,000 skilled individuals consisting of a cross-section of industry experts and technology professionals. Jonas is headquartered in Canada and also operates offices throughout North America, the United Kingdom, Europe, Australia New Zealand and Africa. Jonas is a 100% owned subsidiary of Constellation Software Inc., headquartered in Toronto and traded on the S&P/TSX 60.
About Jonas Software
Jonas Software is the leading provider of enterprise management software solutions to over 40 different vertical markets. Within these vertical markets, Jonas has acquired over 160 unique and innovative companies.
Jonas’ vision is to be the branded global leader across the 40+ vertical markets and to be recognized by customers and respective industry stakeholders as the trusted provider of ‘Software for Life’ and as an ambassador for technology, product innovation, quality, and customer service.
Jonas Software is the valued technology partner of over 40,000 customers worldwide in more than 30 countries. Jonas employs over 3,500 skilled individuals consisting of a cross-section of industry experts and technology professionals. Jonas is headquartered in Canada and also operates offices throughout North America, the United Kingdom, Europe, Australia, South America and Africa. Jonas is a 100% owned subsidiary of Constellation Software Inc., headquartered in Toronto and traded on the TSX (CSU.TO).