Role: Application Security SME Location: 44 King Street West, Scotia Plaza, Toronto Hiring Mode: 12 Months Contract + Possible Extension Work Type: Hybrid (3 days/week onsite) Experience Required: 8+ Years

Pay: CAD 70/Hr.

Role Summary We are seeking an experienced Application Security SME to lead and strengthen application security across the software development lifecycle. The ideal candidate will have expertise in secure application architecture, secure coding, security testing, DevSecOps, and cloud security. This role requires close collaboration with development, engineering, DevOps, architecture, and risk teams to embed security into modern application environments.

Key Responsibilities Application Security Serve as the Subject Matter Expert (SME) for application security across enterprise applications. Define and enhance application security standards, frameworks, and best practices. Provide guidance on secure design, secure coding, threat mitigation, and vulnerability management. Promote security-by-design principles across application development. Secure SDLC & DevSecOps Drive the implementation and maturity of the Secure Software Development Lifecycle (SSDLC). Integrate security controls and testing into CI/CD pipelines. Enable automation of application security testing and promote a shift-left security approach. Architecture & Threat Modeling Conduct application architecture and design security reviews. Lead threat modeling sessions for web, mobile, API, cloud-native, and microservices applications. Review authentication, authorization, session management, data protection, input validation, and API security controls. Recommend secure architecture patterns and implementation guidelines. Security Testing & Vulnerability Management Lead or support application security assessments using: SAST DAST Software Composition Analysis (SCA) API Security Testing Manual security reviews and penetration testing coordination Analyze and prioritize vulnerabilities based on risk and business impact. Partner with development teams to validate remediation and manage third-party/open-source component risks. Cloud Security & Governance Provide security guidance for cloud-native applications, containers, Kubernetes, serverless, and API-based architectures. Collaborate with cloud engineering teams to secure workloads on Azure, AWS, or GCP. Support compliance with internal policies and industry standards. Contribute to audits, risk assessments, security metrics, and reporting.

Required Qualifications Bachelor's degree in Computer Science, Information Security, Engineering, or a related field. 8+ years of experience in Application Security, Secure Software Engineering, or Cybersecurity Architecture. Experience implementing enterprise application security programs. Strong knowledge of: Secure SDLC / SSDLC DevSecOps OWASP Top 10 OWASP API Security Top 10 Secure coding and common web application vulnerabilities Hands-on experience with application security tools, including: SAST: Checkmarx, Fortify, Veracode, SonarQube DAST: Burp Suite, AppScan, Acunetix SCA: Snyk, Black Duck, Mend (WhiteSource) Experience with threat modeling methodologies (e.g., STRIDE). Strong understanding of authentication, authorization, encryption, secrets management, and secure design principles. Experience securing applications on Azure, AWS, or GCP. Excellent communication and stakeholder management skills.

Preferred Qualifications Experience in Banking, Financial Services, Insurance (BFSI), Healthcare, or Public Sector environments. Familiarity with security frameworks such as NIST, ISO 27001, PCI-DSS, SOC 2, and OSFI. Experience with CI/CD platforms including Azure DevOps, Jenkins, GitHub Actions, or GitLab. Knowledge of container security, Kubernetes security, and cloud workload protection. Exposure to red team/blue team collaboration.

Preferred Certifications CISSP CSSLP CISM CEH, GWAPT, or OSCP (Nice to Have) Azure, AWS, or GCP Cloud Security Certifications

Key Competencies Expertise in application security architecture and secure development practices. Strong analytical and problem-solving skills. Ability to influence cross-functional engineering teams. Excellent communication and stakeholder management skills. Ability to balance security, business priorities, and delivery timelines. Self-driven with the ability to lead strategic application security initiatives.