Senior Specialist Application Security

JOB SUMMARY:

To provide strategic and operational guidance to the Manager of Application Security and the Director of Cyber Threat Management in executing a City-wide cyber program that enhances protection across the organization.

To spearhead application security initiatives by enhancing cloud-native application security, integrating DevSecOps practices, and implementing robust strategies for container security, threat modeling, and comprehensive cloud security solutions.

To collaborate with development, security, and operations teams to integrate cyber security best practices, assess vulnerabilities, and implement risk mitigation strategies for secure software development.

Additionally, this role will work with enterprise IT in designing, implementing and configuring cyber security solutions that address emerging threats and security risks, ensuring alignment with business and regulatory requirements.

MAJOR RESPONSIBILITIES:

• Design and Configure Cybersecurity Solutions: Work closely with enterprise IT to design and configure security solutions that address application security risks. Provide hands-on support in implementing security controls and ensuring alignment with compliance and business needs.
• Enhance Container Security: Implement and enforce security measures for containerized applications, including Kubernetes security best practices. Provide technical expertise and hands-on support to teams securing containerized environments.
• Perform and Guide Security Assessments: Perform comprehensive application security assessments and work with development teams to ensure identified vulnerabilities are addressed and remediated effectively.
• Research & Technical Leadership: Stay ahead of emerging threats and evolving security technologies, providing research, proof-of-concepts, and technical recommendations for cloud security (CASB), web application and API security (WAAP), securing AI systems, and other relevant areas.
• Lead Threat Modeling Efforts: Conduct comprehensive threat modeling exercises using frameworks like STRIDE or PASTA to identify, analyze, and prioritize risks. Provide guidance to developers and security specialists on integrating threat modeling into the SDLC.
• Manage and Optimize Security Tools: Utilize and refine SAST, DAST, and SCA tools to analyze code and third-party components for vulnerabilities. Lead the implementation of automated security testing in CI/CD pipelines and assist teams in optimizing security workflows.
• Collaborate Across Teams: Work closely with development, operations, and IT teams to integrate security best practices into all stages of application development and deployment. Act as a subject matter expert, offering hands-on support and guidance.
• Strengthen Secure Coding Practices: Provide direct support and training on secure coding practices, helping development teams proactively integrate security into their workflows. Conduct code reviews and offer remediation strategies.
• Provide Project and Program Support: Contribute hands-on expertise to cybersecurity projects while also guiding junior team members. Assist in reviewing project deliverables, ensuring security objectives are met, and collaborating with stakeholders to address risks.
• Drive Risk Management and Emerging Tech Adoption: Continuously evaluate cybersecurity risks related to new technologies. Assist in developing security strategies that balance risk reduction with business agility.
• Support Governance & Documentation: Assist in preparing RFPs, Statements of Work, and other contractual documents. Provide security recommendations to help ensure cybersecurity-related expenditures remain within budget while achieving key objectives.

QUALIFICATIONS/CERTIFICATIONS:

• Education: Post-secondary degree in Computer Science, Information Technology, or a related field..
• Experience: 5+ years of experience in cloud native application security and implementing enterprise security solutions with strong understanding of application security threats, attack patterns, emerging security vulnerabilities. Certifications: Preferred Certifications (any in the list): CISA/CISSP/CCSP/CISM/CIA/ CEH/SANS GIAC, OSCP, CSSLP, CAS)
• Technical Skills:
• Strong understanding and hands-on experience of Application Security tools (SAST, DAST, SCA etc.).
• Container security knowledge, including container-centric and Kubernetes-native approaches to securing container images and runtimes.
• Proficiency in cloud security practices and technologies, with a focus on securing cloud-native applications.
• Strong understanding of DevSecOps practices and the ability to implement security throughout the software development lifecycle.
• Experience with threat modeling techniques and methodologies.
• Able to work at three levels – Strategy, design, and hands on technical.
• Strong communication and influencing skills, for working cross functionally with teams.
• Proficient in cloud security and industry-leading best practices for robust data protection.
• Must have excellent knowledge of different areas of IT operations / processes (change mgmt., release mgmt.), and be able to define/design security processes to meet business requirements.

SOFT SKILLS:

• Ability to work in transformative programs
• Ability to lead efficient communication between all project stakeholders, including internal teams and clients
• Ability to achieve business objectives through influencing and effectively working with key stakeholders.
• Excellent written & verbal communication skills (comfortable & confident communicating at all levels including business partners, leadership and vendors).
• Excellent problem-solving skills with capability to identify solutions to unusual and complex problems.
• Keen attention to detail and strong organizational skills.
• Highly organized, proactive, self-motivated team player who takes initiative and is able to work independently.
• Ability to work in a fast-paced environment managing multiple priorities with proven time management skills.
• Strong analytical skills and ability to prioritise and multitask.
• Ability to prioritize and effectively manage competing priorities and projects.
• Ability to manage multiple initiatives while adhering to strict deadlines.
• Proactive and supportive, willing to assist the team with various tasks during peak volumes and high workloads. Able to work extremely well under pressure while maintaining a high level of professionalism
• Self-motivated team player who takes initiative and can work independently.
• The ability to think critically and exercise sound judgment is essential in this field. Security professionals must be prepared to respond swiftly and effectively to cyber-related incidents.

ADDITIONAL COMMENTS/INFORMATION:

A normal work week is 35 hours; however, unforeseen situation may require extended hours of work with little or no prior notice. In case of a cyber incident or breach, rotation shift, continuous extended hours may be required with little or no prior notice.

*Subject to a police check, background check, psychological assessment and/or any other checks on a regular basis as the Office of the CISO handles highly sensitive and confidential information.

Equity, DIVERSITY, and Inclusion

The City is an equal opportunity employer, dedicated to creating a workplace culture of inclusiveness that reflects the diverse residents that we serve. Learn more about the City’s commitment to employment equity.

ACCOMMODATION

The City of Toronto is committed to creating an accessible and inclusive organization. We are committed to providing barrier-free and accessible employment practices in compliance with the Accessibility for Ontarians with Disabilities Act (AODA). Should you require Code-protected accommodation through any stage of the recruitment process, please make them known when contacted and we will work with you to meet your needs. Disability-related accommodation during the application process is available upon request. Learn more about the City’s Hiring Policies and Accommodation Process.