Application Security Risk Engineer

Job Title: Application Security Risk Engineer

Location: Toronto, ON (Hybrid)

Estimated Duration: 6 Months

As a Threat Modeling Engineer, you will be part of Application Security Risk Assessments team within Cybersecurity. The Application Security Risk Assessment team performs Threat Modelling of applications and technology designs to identify threats early in the Bank’s SDLC and risk management process. The Application Security Risk Assessment team is part of highly collaborative Cybersecurity and Technology organization. As a Threat Modeling Engineer you will have an opportunity to take collaborative approach in maturing threat modeling practices, identify relevant security threats to business technology, help colleagues continuously improve security practices, secure and enable business objectives.

Responsibilities:

• Be integral in continuously maturing the threat modeling practices and application security risk assessment program.
• Be integral in ensuring security threats and countermeasures are identified in projects/initiatives as part of SDLC process.
• Maintain an understanding of available security design patterns, their applicability to given initiative and identify gaps that require improvement opportunities.
• Produce high quality threat modeling artifacts and follow through in tracking of assessments and remediation activities in issue management platform and/or designated repository.
• Continuously keep apprised of business technology practices and relevant threats, both current and emerging and work with Security Architect to identify appropriate controls.
• Be an advocate for Cybersecurity company standards and industry best practices.
• Help build, improve threat libraries and controls and standardize on threat modeling practices.
• Collaborate with larger Security Assessment and Testing group in socializing threats identified in technology projects as part of overall risk analysis.
• Keep abreast of new technology trends and associated risks in application development practices, frameworks, cloud services (PaaS, IaaS, SaaS), modern data store platforms etc. and ability apply this knowledge and skills during threat modeling exercises.

• Proficient level working knowledge of Threat Modeling methodologies (e.g. Attack Trees, MSTM/STRIDE, PASTA) or performing Architecture Risk Analysis.
• Expert ability to decompose applications and system designs in hybrid cloud architectures to identify potential threats.
• Proficient level working experience in application security and security risk management practices.
• Working experience in Agile methodologies.
• Knowledge of DevOps practices and ability to champion security first, DevSecOps culture and practices.
• Prior experience in software development (e.g. Java, JS, Python) is preferred.
• Prior experience in 3 or more other security domains, e.g., ethical hacking, cloud security, network security, platform security, IAM is preferred.
• Advanced analytical skills
• Proficient communication and negotiations skills, both verbal and written.
• Is empathetic and loves to solve problems and always maintains high integrity.
• 5+ years of relevant experience and a post-secondary degree in Computer Science, Engineering, or Information Systems or a related field of study or an equivalent combination of education
• Industry certifications such as CISM, CISSP, GIAC, CEH