Role Description

We are seeking an experienced Senior Application Security SME/ DevSecOps Security Consultant to lead and mature application security practices across enterprise platforms and development teams. The ideal candidate will have deep expertise in modern application architectures secure coding practices security testing methodologies and the ability to partner effectively with development engineering DevOps and risk teams to embed security throughout the software delivery lifecycle.

Primary Skills

• Application Security
  
• Secure SDLC (SSDLC)
  
• DevSecOps
  
• Threat Modeling
  
• Cloud Security (Azure AWS GCP)
  
• Security Architecture
  
• Vulnerability Management
  
• SAST / DAST / SCA
  
• OWASP Top 10
  
• API Security
  

Key Responsibilities

Application Security Strategy & Advisory

• Act as the Subject Matter Expert (SME) for application security across enterprise platforms and development teams.
  
• Define and enhance the organizations application security strategy standards and control frameworks.
  
• Provide expert guidance on secure design secure coding threat mitigation and vulnerability management.
  
• Partner with engineering and architecture teams to embed security-by-design principles into applications and digital initiatives.
  

Secure SDLC / DevSecOps Enablement

• Drive implementation and maturity of the Secure Software Development Lifecycle (SSDLC).
  
• Integrate security controls and testing into CI/CD pipelines and DevSecOps workflows.
  
• Enable use of security tools and automation across build and release processes.
  
• Promote a shift-left security approach to detect and remediate issues early in the development lifecycle.
  

Architecture Reviews & Threat Modeling

• Perform application architecture and design reviews to identify security risks and recommend remediation strategies.
  
• Lead threat modeling sessions for web mobile API and cloud-native applications.
  
• Review application components for vulnerabilities related to authentication authorization session management input validation data protection and API security.
  
• Recommend secure reference architectures reusable security patterns and implementation guardrails.
  

Security Testing & Vulnerability Management

• Lead or support application security assessments including:
  • Static Application Security Testing (SAST)
    
  • Dynamic Application Security Testing (DAST)
    
  • Software Composition Analysis (SCA)
    
  • API Security Testing
    
  • Manual Security Reviews and Penetration Testing Coordination
    
• Analyze triage and prioritize vulnerabilities based on risk and business impact.
  
• Work closely with development teams to track remediation and validate closure of security issues.
  
• Support secure management of open-source components and third-party libraries.
  

Cloud & Modern Application Security

• Provide security guidance for modern application environments including:
  • Microservices and APIs
    
  • Containers and Kubernetes
    
  • Cloud-Native Applications
    
  • Serverless and Event-Driven Architectures
    
• Collaborate with cloud and platform engineering teams to secure application workloads in Azure AWS or GCP.
  

Compliance Governance & Risk

• Ensure application security practices align with internal security policies and external standards and regulations.
  
• Support compliance requirements related to secure development and application security controls.
  
• Contribute to audit responses control evidence collection and security risk assessments.
  
• Develop security metrics dashboards and reporting to track application security posture and control effectiveness.
  

Required Qualifications

• Bachelors degree in Computer Science Information Security Engineering or related field.
  
• 8 years of experience in Application Security Secure Software Engineering Cybersecurity Architecture or related roles.
  
• Proven experience implementing and managing application security programs in enterprise environments.
  

Strong Understanding Of

• Secure SDLC / SSDLC
  
• DevSecOps Principles
  
• OWASP Top 10
  
• API Security Top 10
  
• Common Software and Web Application Vulnerabilities
  

Hands-On Experience With Application Security Testing Tools

SAST

• Checkmarx
  
• Fortify
  
• Veracode
  
• SonarQube
  

DAST

• Burp Suite
  
• AppScan
  
• Acunetix
  

SCA

• Snyk
  
• Black Duck
  
• Mend / WhiteSource
  

Additional Requirements

• Experience in Threat Modeling methodologies (e.g. STRIDE).
  
• Strong knowledge of Authentication Authorization Encryption Secrets Management and Secure Design Principles.
  
• Experience working with Cloud Platforms such as Azure AWS or GCP.
  
• Strong verbal and written communication skills with the ability to work across technical and non-technical stakeholders.
  

Preferred Qualifications

• Experience in highly regulated industries such as:
  • Banking
    
  • Financial Services
    
  • Insurance (BFSI)
    
  • Healthcare
    
  • Public Sector
    

Familiarity With

• NIST
  
• ISO 27001
  
• PCI-DSS
  
• SOC 2
  
• OSFI Guidelines (Canada)
  

CI/CD Platforms

• Azure DevOps
  
• Jenkins
  
• GitHub Actions
  
• GitLab
  

Additional Exposure

• Container Security
  
• Kubernetes Security
  
• Cloud Workload Protection
  
• Red Team / Blue Team Collaboration
  
• Application-Layer Attack Simulation
  
• Security Incident Response Readiness
  

Preferred Certifications

• CISSP
  
• CSSLP
  
• CISM
  
• CEH
  
• GWAPT
  
• OSCP
  
• Azure Security Certifications
  
• AWS Security Certifications
  
• GCP Security Certifications