About the role
####It’s not a package. It’s a promise®.
As Canada’s leading integrated freight, package, and logistics provider, we’ve been helping promises get where they need to be for more than 60 years. How does the magic happen?The journey starts with you. The places we go, the elements we brave, the promises we deliver –**it’s all possible because of our people.**So, whether you’re looking to build new skills, make an impact in your community, or inspire your team,we go therefor you.
##Description
Purolator is one of Canada’s leading integrated freight, package, and logistics solutions providers, delivering dependable service to customers across the country. Security is a core enabler of Purolator’s digital and operational strategy. The Information Security Office partners closely with technology and business teams to protect Purolator’s systems, data, and customers while enabling innovation and secure delivery at scale.
The Senior Application Security Analyst is responsible for embedding security into the software development lifecycle (SDLC) by partnering closely with application and engineering teams. This role focuses on identifying, assessing, and reducing application and API security risk through threat modeling, secure design reviews, vulnerability management, and the operationalization of application security controls.
The successful candidate will act as a subject matter expert for application security, providing hands‑on guidance to development teams while helping mature secure development practices across the enterprise.
##Responsibilities
Application & API Security
- Perform application and API security assessments, including design reviews, threat modeling, and architecture reviews, in alignment with enterprise application security standards
- Identify security risks across custom‑built, SaaS, and third‑party applications and work with application owners to define practical remediation plans
- Review authentication, authorization, data handling, and integration patterns to ensure secure‑by-design implementations
Secure SDLC & DevSecOps
- Embed security requirements and controls early in the SDLC (“shift left”) by working directly with development and delivery teams
- Support the integration and tuning of Static Application Security Testing (SAST), Software Composition Analysis (SCA), secret scanning, Dynamic Application Security Testing (DAST) and other application security tooling within CI/CD pipelines
- Provide secure coding guidance and recommendations based on OWASP Top 10 and industry best practices
- Develop and maintain clear, reusable documentation and standardized frameworks to enable consistent adoption of application security practices across teams
Vulnerability & Risk Management
- Triage and assess application security findings from automated tools, penetration tests, and manual reviews
- Partner with application teams to prioritize remediation based on risk, exploitability, and business impact
Advisory & Stakeholder Engagement
- Act as a trusted security advisor to application owners, architects, and developers
- Contribute to the development and maintenance of application security standards, patterns, and guidance documentation
- Support third‑party assessments and security reviews for externally developed or hosted applications
Continuous Improvement
- Identify opportunities to improve application security processes, tooling, and governance
- Stay current with emerging application security threats, vulnerabilities, and defensive techniques
##Required Qualifications
- Bachelor’s degree in Computer Science, Information Security, or a related field, or equivalent practical experience
- 5+ years of progressive experience in application security, secure software development, or product security
- Strong understanding of web and API technologies (HTTP/S, REST, JSON, OAuth, OpenID Connect, SAML)
- Hands‑on experience with application security testing tools (SAST, SCA, DAST, secret scanning)
- Solid knowledge of OWASP Top 10, threat modeling methodologies, and secure coding principles
- Strong analytical, problem‑solving, and communication skills, with the ability to explain security risks to both technical and non‑technical audiences
- Exceptional interpersonal skills and proven to flourish working in a fast-paced environment.
- Ability to work effectively in a cross-disciplinary team, across multiple projects and multiple locations.
##Additional skills that set you apart
- Experience securing cloud‑native applications in AWS and/or Azure environments
- Familiarity with API gateways, WAFs, and runtime protection controls
- Experience working in agile or DevOps delivery environments
- Relevant security certifications (e.g., CSSLP, GWAPT, GWEB, CISSP, OSCP)
- Strong knowledge of one or more modern programming languages (e.g. Python, Java, C++, JavaScript)
The work we do at Purolator impacts every Canadian. To work with us, you must be eligible to obtain a Reliability Security Clearance.
**Language Requirement:**Proficiency in English is required for this position due to the frequent communications that must be conducted in English with various stakeholders. This requirement is justified by the nature of the responsibilities and operational needs.
POSTING DETAILS
**Location:**530 - Corporate
**Working Conditions:**Office Environment
**Reports to:**Technology Manager Information Security Office
Purolator is an equal opportunity employer committed to diversity and inclusion**.**We welcome all qualified applicants and provide accommodations during the recruitment process upon request.
Purolator complies with Canadian law in all recruitment practices. During pre-screening, we may use an Artificial Intelligence (AI) tool, supported by human oversight, to efficiently manage tasks such as resume screening and candidate matching, enabling our team to connect with qualified candidates faster.
Personal information is used solely for recruitment and managed in accordance with privacy legislation. For AI-related inquiries only, contactTalentCOE@purolator.com. To apply, visit our Careers Page.
We recognize that employees and their families are essential to our success. We strive to provide a safe, healthy, and supportive workplace, ensuring the right people have the tools they need to thrive.
Every day at Purolator is an opportunity to connect with colleagues, customers, and communities to make a positive impact. Learn more about our values atwww.purolator.com.
Similar jobs you might like
About the role
####It’s not a package. It’s a promise®.
As Canada’s leading integrated freight, package, and logistics provider, we’ve been helping promises get where they need to be for more than 60 years. How does the magic happen?The journey starts with you. The places we go, the elements we brave, the promises we deliver –**it’s all possible because of our people.**So, whether you’re looking to build new skills, make an impact in your community, or inspire your team,we go therefor you.
##Description
Purolator is one of Canada’s leading integrated freight, package, and logistics solutions providers, delivering dependable service to customers across the country. Security is a core enabler of Purolator’s digital and operational strategy. The Information Security Office partners closely with technology and business teams to protect Purolator’s systems, data, and customers while enabling innovation and secure delivery at scale.
The Senior Application Security Analyst is responsible for embedding security into the software development lifecycle (SDLC) by partnering closely with application and engineering teams. This role focuses on identifying, assessing, and reducing application and API security risk through threat modeling, secure design reviews, vulnerability management, and the operationalization of application security controls.
The successful candidate will act as a subject matter expert for application security, providing hands‑on guidance to development teams while helping mature secure development practices across the enterprise.
##Responsibilities
Application & API Security
- Perform application and API security assessments, including design reviews, threat modeling, and architecture reviews, in alignment with enterprise application security standards
- Identify security risks across custom‑built, SaaS, and third‑party applications and work with application owners to define practical remediation plans
- Review authentication, authorization, data handling, and integration patterns to ensure secure‑by-design implementations
Secure SDLC & DevSecOps
- Embed security requirements and controls early in the SDLC (“shift left”) by working directly with development and delivery teams
- Support the integration and tuning of Static Application Security Testing (SAST), Software Composition Analysis (SCA), secret scanning, Dynamic Application Security Testing (DAST) and other application security tooling within CI/CD pipelines
- Provide secure coding guidance and recommendations based on OWASP Top 10 and industry best practices
- Develop and maintain clear, reusable documentation and standardized frameworks to enable consistent adoption of application security practices across teams
Vulnerability & Risk Management
- Triage and assess application security findings from automated tools, penetration tests, and manual reviews
- Partner with application teams to prioritize remediation based on risk, exploitability, and business impact
Advisory & Stakeholder Engagement
- Act as a trusted security advisor to application owners, architects, and developers
- Contribute to the development and maintenance of application security standards, patterns, and guidance documentation
- Support third‑party assessments and security reviews for externally developed or hosted applications
Continuous Improvement
- Identify opportunities to improve application security processes, tooling, and governance
- Stay current with emerging application security threats, vulnerabilities, and defensive techniques
##Required Qualifications
- Bachelor’s degree in Computer Science, Information Security, or a related field, or equivalent practical experience
- 5+ years of progressive experience in application security, secure software development, or product security
- Strong understanding of web and API technologies (HTTP/S, REST, JSON, OAuth, OpenID Connect, SAML)
- Hands‑on experience with application security testing tools (SAST, SCA, DAST, secret scanning)
- Solid knowledge of OWASP Top 10, threat modeling methodologies, and secure coding principles
- Strong analytical, problem‑solving, and communication skills, with the ability to explain security risks to both technical and non‑technical audiences
- Exceptional interpersonal skills and proven to flourish working in a fast-paced environment.
- Ability to work effectively in a cross-disciplinary team, across multiple projects and multiple locations.
##Additional skills that set you apart
- Experience securing cloud‑native applications in AWS and/or Azure environments
- Familiarity with API gateways, WAFs, and runtime protection controls
- Experience working in agile or DevOps delivery environments
- Relevant security certifications (e.g., CSSLP, GWAPT, GWEB, CISSP, OSCP)
- Strong knowledge of one or more modern programming languages (e.g. Python, Java, C++, JavaScript)
The work we do at Purolator impacts every Canadian. To work with us, you must be eligible to obtain a Reliability Security Clearance.
**Language Requirement:**Proficiency in English is required for this position due to the frequent communications that must be conducted in English with various stakeholders. This requirement is justified by the nature of the responsibilities and operational needs.
POSTING DETAILS
**Location:**530 - Corporate
**Working Conditions:**Office Environment
**Reports to:**Technology Manager Information Security Office
Purolator is an equal opportunity employer committed to diversity and inclusion**.**We welcome all qualified applicants and provide accommodations during the recruitment process upon request.
Purolator complies with Canadian law in all recruitment practices. During pre-screening, we may use an Artificial Intelligence (AI) tool, supported by human oversight, to efficiently manage tasks such as resume screening and candidate matching, enabling our team to connect with qualified candidates faster.
Personal information is used solely for recruitment and managed in accordance with privacy legislation. For AI-related inquiries only, contactTalentCOE@purolator.com. To apply, visit our Careers Page.
We recognize that employees and their families are essential to our success. We strive to provide a safe, healthy, and supportive workplace, ensuring the right people have the tools they need to thrive.
Every day at Purolator is an opportunity to connect with colleagues, customers, and communities to make a positive impact. Learn more about our values atwww.purolator.com.