Application Security Analyst
About the role
Title: Application Security Analyst Department: Information Technology Location: 6300 Steeles Ave West, Woodbridge Total Potential Compensation: $95,000-$115,000 Position Summary: As an Application Security Analyst, you will be responsible for supporting and operating core security capabilities across 407 ETR’s digital environment, with a primary focus on application security. This includes promoting secure-by-design practices throughout the SDLC and supporting the integration and operation of security tooling and automation, such as SAST, DAST, SCA, ASPM, and penetration testing services. You will work closely with Architecture, DevOps, QA, Product teams, and external partners to embed security controls into requirements, design, development, testing, and release activities, and track and manage security vulnerabilities through remediation. This role also contributes to improving the overall cyber and technology risk posture, with measurable improvements reflected in the Technology and Cyber Risk Indices (TRI/SRI). Hours of work are onsite, Monday to Friday, 7.5 hours daily, or as required. After-hours support and on-call duties may be required for priority releases or security incidents. Position Responsibilities: AppSec Strategy & SDLC Integration Embed security requirements and non‑functional controls into epics, features, and user stories; maintain security traceability throughout the lifecycle. Lead threat modeling at design time for new and changed services (web, mobile, APIs, microservices) and ensure mitigations are implemented prior to coding. Define and operate SDLC security gates (pre‑commit, build, test, deployment) with policy‑driven thresholds (e.g., fail on Critical/High) and exceptions governance. DevSecOps Tooling & Automation Implement and tune SAST, DAST, SCA and ASPM integrations within CI/CD, ensuring coverage, accuracy, and developer‑friendly feedback loops; coordinate PTaaS cycles aligned to release schedules Partner with DevOps to secure build pipelines, artifacts, and environments (e.g., IaC scanning, container image hardening, secrets management, SBOM generation and validation) Work with platform teams to evolve pipelines consistent with the 407 ETR DevOps framework and future‑state CI/CD models Findings Management & Risk Reporting Operate a unified findings intake (ASPM as system of record) for automated tool outputs and manual assessments; triage, prioritize, and track remediation to closure Apply a risk‑based SLA model (severity, exploitability, asset criticality) and escalate overdue items; publish weekly triage outcomes and monthly KPIs. Report AppSec posture using TRI/SRI aligned metrics (e.g., unresolved criticals, mean‑time‑to‑remediate, coverage, policy conformance) Secure Engineering Enablement Provide secure coding guidance, sample patterns, and remediation support for developers; deliver targeted training and office hours Collaborate on architecture reviews, pen‑test scoping, and change risk assessments for web and mobile (using established change‑type workflow) Contribute to AppSec policies/standards and improve documentation (playbooks, runbooks, “definition of done” security criteria) Additional Technical Experience Experience with Data Loss Prevention (DLP) technologies and controls, including policy configuration, monitoring, and incident investigation, is required Experience with Single Sign-On (SSO) integrations and identity federation protocols is an asset. Compliance & Vendor Management Ensure controls align with PCI DSS Secure SDLC, ISO 27001/27002, and NIST DevSecOps guidance (e.g., SP 800‑204D); support internal/external audits and evidence collection Manage AppSec vendor relationships and deliverables per the Application Security Managed Service scope (ASPM, PTaaS, continuous monitoring) Note: This job description is not intended to be all-inclusive. The employee may perform other related duties, as assigned, to meet the ongoing needs of the organization. Qualifications Minimum 5+ years of experience in IT Security, with strong hands-on experience in Security Operations. College Diploma or University Degree in Computer Science, Engineering, or related field. EDR platforms (e.g., endpoint containment, alert triage, investigation). NDR technologies and network-based threat detection. Security Incident Response and Investigation. Strong understanding of attacker techniques and defensive controls (MITRE ATT&CK). Experience working in regulated or audit-driven environments. Strong understanding of authentication, authorization, MFA, RBAC, and privileged access concepts. SSO Authentication: Experience implementing and supporting SSO solutions for secure user access across enterprise applications. Preferred Qualifications Knowledge of standing up a mature Application Security framework Experience with enterprise SOC tooling including SIEM, EDR, NDR, SOAR. Experience operating security controls in hybrid (on‑prem and cloud) environments. Familiarity with Security Risk Index (SRI), cyber risk metrics, or risk-based reporting. Knowledge of network architecture and segmentation concepts. We are actively seeking to fill this role as it is a current vacancy. About 407 ETR Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometres from Burlington in the west to Pickering in the east. 407 International Inc. is the sole shareholder of 407 ETR and is owned by: Cintra Global S.E., a subsidiary of Ferrovial S.A. (48.29%) Canada Pension Plan Investment Board (CPP Investments) and other institutional investors with non-controlling interests (44.20%) Public Sector Pension Investment Board (PSP Investments) (7.51%) Learn more at 407etr.com Note: At 407 ETR, we are committed to fostering a diverse, equitable, and inclusive work environment. We value the unique perspectives and backgrounds of all individuals, and we firmly believe that our individual differences make us stronger as a whole. Our commitment to inclusion extends beyond recruitment and encompasses an inclusive workplace culture through raising awareness, ongoing training, and encouraging feedback. We aim to create a safe and supportive environment where all employees can thrive. Accommodation for disabilities or other grounds protected by human rights legislation are available upon request for candidates taking part in all aspects of the employment selection process. Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometres from Burlington in the west to Pickering in the east. 407 International Inc. is the sole shareholder of 407 ETR and is owned by: Cintra Global S.E., a subsidiary of Ferrovial S.A. (48.29%) Canada Pension Plan Investment Board (CPP Investments) and other institutional investors with non-controlling interests (44.20%) Public Sector Pension Investment Board (PSP Investments) (7.51%)
Not the right fit? Search for Application Security Analyst jobs in Vaughan, Ontario, Canada
About 407 ETR Concession Company
407 ETR is the world’s first all-electronic, barrier-free toll highway, stretching 108 km from Burlington (in the west) to Pickering (in the east).
Save Time: Taking 407 ETR across the GTA means avoiding congestion. Transit providers and businesses rely on 407 ETR to move people and good quickly across the region.
Safety is our priority: With 24/7 Highway Safety Patrols and Highway Monitoring, we do our best to ensure that help is never far away if you need it. Our partnership with the Ontario Provincial Police helps keep traffic moving safely.
Customer Experience: We're focused on serving you well, both on and off the road. Discovering the latest promotions/offers or planning the cost of an upcoming trip using the toll calculator are just a few reasons to add www.407etr.com as one of your favourites…and you can visit on any device! Log into your web account (or sign up in minutes) to leverage your one-stop shop for many helpful account options like switching to paperless billing or pre-authorized billing, viewing past bills or to pay your current bill.
Caring for your car: Driving at a safe and consistent speed on an excellent and well-maintained highway helps to keep your car efficient and gives you better fuel economy, saving you money on gas and maintenance.
Drive More Save More: Customers are automatically enrolled in ETR Rewards when they drive a certain number of transponder kilometres. The more you drive, the greater your savings. Check out the ETR Rewards page to see how you can get in and what benefits you can receive!
We invite you to explore our website to learn more about our online services, investments to improve traffic flow, interesting facts about the highway, real-life stories from the road and more. Thank you for taking the time to learn about 407 ETR!
Similar Jobs
Application Security Analyst
About the role
Title: Application Security Analyst Department: Information Technology Location: 6300 Steeles Ave West, Woodbridge Total Potential Compensation: $95,000-$115,000 Position Summary: As an Application Security Analyst, you will be responsible for supporting and operating core security capabilities across 407 ETR’s digital environment, with a primary focus on application security. This includes promoting secure-by-design practices throughout the SDLC and supporting the integration and operation of security tooling and automation, such as SAST, DAST, SCA, ASPM, and penetration testing services. You will work closely with Architecture, DevOps, QA, Product teams, and external partners to embed security controls into requirements, design, development, testing, and release activities, and track and manage security vulnerabilities through remediation. This role also contributes to improving the overall cyber and technology risk posture, with measurable improvements reflected in the Technology and Cyber Risk Indices (TRI/SRI). Hours of work are onsite, Monday to Friday, 7.5 hours daily, or as required. After-hours support and on-call duties may be required for priority releases or security incidents. Position Responsibilities: AppSec Strategy & SDLC Integration Embed security requirements and non‑functional controls into epics, features, and user stories; maintain security traceability throughout the lifecycle. Lead threat modeling at design time for new and changed services (web, mobile, APIs, microservices) and ensure mitigations are implemented prior to coding. Define and operate SDLC security gates (pre‑commit, build, test, deployment) with policy‑driven thresholds (e.g., fail on Critical/High) and exceptions governance. DevSecOps Tooling & Automation Implement and tune SAST, DAST, SCA and ASPM integrations within CI/CD, ensuring coverage, accuracy, and developer‑friendly feedback loops; coordinate PTaaS cycles aligned to release schedules Partner with DevOps to secure build pipelines, artifacts, and environments (e.g., IaC scanning, container image hardening, secrets management, SBOM generation and validation) Work with platform teams to evolve pipelines consistent with the 407 ETR DevOps framework and future‑state CI/CD models Findings Management & Risk Reporting Operate a unified findings intake (ASPM as system of record) for automated tool outputs and manual assessments; triage, prioritize, and track remediation to closure Apply a risk‑based SLA model (severity, exploitability, asset criticality) and escalate overdue items; publish weekly triage outcomes and monthly KPIs. Report AppSec posture using TRI/SRI aligned metrics (e.g., unresolved criticals, mean‑time‑to‑remediate, coverage, policy conformance) Secure Engineering Enablement Provide secure coding guidance, sample patterns, and remediation support for developers; deliver targeted training and office hours Collaborate on architecture reviews, pen‑test scoping, and change risk assessments for web and mobile (using established change‑type workflow) Contribute to AppSec policies/standards and improve documentation (playbooks, runbooks, “definition of done” security criteria) Additional Technical Experience Experience with Data Loss Prevention (DLP) technologies and controls, including policy configuration, monitoring, and incident investigation, is required Experience with Single Sign-On (SSO) integrations and identity federation protocols is an asset. Compliance & Vendor Management Ensure controls align with PCI DSS Secure SDLC, ISO 27001/27002, and NIST DevSecOps guidance (e.g., SP 800‑204D); support internal/external audits and evidence collection Manage AppSec vendor relationships and deliverables per the Application Security Managed Service scope (ASPM, PTaaS, continuous monitoring) Note: This job description is not intended to be all-inclusive. The employee may perform other related duties, as assigned, to meet the ongoing needs of the organization. Qualifications Minimum 5+ years of experience in IT Security, with strong hands-on experience in Security Operations. College Diploma or University Degree in Computer Science, Engineering, or related field. EDR platforms (e.g., endpoint containment, alert triage, investigation). NDR technologies and network-based threat detection. Security Incident Response and Investigation. Strong understanding of attacker techniques and defensive controls (MITRE ATT&CK). Experience working in regulated or audit-driven environments. Strong understanding of authentication, authorization, MFA, RBAC, and privileged access concepts. SSO Authentication: Experience implementing and supporting SSO solutions for secure user access across enterprise applications. Preferred Qualifications Knowledge of standing up a mature Application Security framework Experience with enterprise SOC tooling including SIEM, EDR, NDR, SOAR. Experience operating security controls in hybrid (on‑prem and cloud) environments. Familiarity with Security Risk Index (SRI), cyber risk metrics, or risk-based reporting. Knowledge of network architecture and segmentation concepts. We are actively seeking to fill this role as it is a current vacancy. About 407 ETR Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometres from Burlington in the west to Pickering in the east. 407 International Inc. is the sole shareholder of 407 ETR and is owned by: Cintra Global S.E., a subsidiary of Ferrovial S.A. (48.29%) Canada Pension Plan Investment Board (CPP Investments) and other institutional investors with non-controlling interests (44.20%) Public Sector Pension Investment Board (PSP Investments) (7.51%) Learn more at 407etr.com Note: At 407 ETR, we are committed to fostering a diverse, equitable, and inclusive work environment. We value the unique perspectives and backgrounds of all individuals, and we firmly believe that our individual differences make us stronger as a whole. Our commitment to inclusion extends beyond recruitment and encompasses an inclusive workplace culture through raising awareness, ongoing training, and encouraging feedback. We aim to create a safe and supportive environment where all employees can thrive. Accommodation for disabilities or other grounds protected by human rights legislation are available upon request for candidates taking part in all aspects of the employment selection process. Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometres from Burlington in the west to Pickering in the east. 407 International Inc. is the sole shareholder of 407 ETR and is owned by: Cintra Global S.E., a subsidiary of Ferrovial S.A. (48.29%) Canada Pension Plan Investment Board (CPP Investments) and other institutional investors with non-controlling interests (44.20%) Public Sector Pension Investment Board (PSP Investments) (7.51%)
Not the right fit? Search for Application Security Analyst jobs in Vaughan, Ontario, Canada
About 407 ETR Concession Company
407 ETR is the world’s first all-electronic, barrier-free toll highway, stretching 108 km from Burlington (in the west) to Pickering (in the east).
Save Time: Taking 407 ETR across the GTA means avoiding congestion. Transit providers and businesses rely on 407 ETR to move people and good quickly across the region.
Safety is our priority: With 24/7 Highway Safety Patrols and Highway Monitoring, we do our best to ensure that help is never far away if you need it. Our partnership with the Ontario Provincial Police helps keep traffic moving safely.
Customer Experience: We're focused on serving you well, both on and off the road. Discovering the latest promotions/offers or planning the cost of an upcoming trip using the toll calculator are just a few reasons to add www.407etr.com as one of your favourites…and you can visit on any device! Log into your web account (or sign up in minutes) to leverage your one-stop shop for many helpful account options like switching to paperless billing or pre-authorized billing, viewing past bills or to pay your current bill.
Caring for your car: Driving at a safe and consistent speed on an excellent and well-maintained highway helps to keep your car efficient and gives you better fuel economy, saving you money on gas and maintenance.
Drive More Save More: Customers are automatically enrolled in ETR Rewards when they drive a certain number of transponder kilometres. The more you drive, the greater your savings. Check out the ETR Rewards page to see how you can get in and what benefits you can receive!
We invite you to explore our website to learn more about our online services, investments to improve traffic flow, interesting facts about the highway, real-life stories from the road and more. Thank you for taking the time to learn about 407 ETR!