Application Security Architect Prin

Posted Monday, February 12, 2024 at 5:00 AM

Dayforce is a global human capital management (HCM) company headquartered in Toronto, Ontario, and Minneapolis, Minnesota, with operations across North America, Europe, Middle East, Africa (EMEA), and the Asia Pacific Japan (APJ) region.

Our award-winning Cloud HCM platform offers a unified solution database and continuous calculation engine, driving efficiency, productivity and compliance for the global workforce.

Our brand promise - Makes Work Life Better TM - Reflects our commitment to employees, customers, partners and communities globally.

Location: Work is what you do, not where you go. For this role, we are open to remote work and can hire anywhere in the United States or Canada

About the opportunity

The Dayforce Product Security team is responsible for the code-level security ofDayforce products. We enhance product security via finding, fixing, and preventing security flaws across the Dayforce family of products, including Dayforce, Dayforce Wallet, and others. On the Product Security Assurance teams, we build the tools and run the programs that eliminate security bugs in code. Beyond simply pointing out issues, we solve problems through close partnership with product and development teams. As such, we are looking for a Application Security Architect with strong technical & leadership skills, a background in product/application security, and a passion for solving complex product security challenges in a fast-moving agile environment. They should be comfortable working across the company and enjoy finding innovative ways to mitigate risk while protecting the data of more than five million users of Ceridian products.

What you'll get to do

• Implement Cloud Platform and Application Security Blueprint and drive adoption of standardized methodologies, libraries, and tools
• As a security SME, own identification and remediation of vulnerabilities within Platform and SaaS applications codebase, as well as 3rd party dependencies, with focus on maturing Application Security Engineering beyond OWASP Top Ten
• Define secure coding practices and guidance, conduct security reviews, and drive down security-related technical debt
• Conduct penetration testing using open source and commercial tools
• Develop scripts and tooling to "shift-left" common security tasks enabling DevSecOps
• Engage development teams in security feature reviews and threat modeling
• Contribute to a secure/compliant cloud-native service catalog
• Collaborate with engineering and operations teams to implement and automate security controls and processes cloud-native security monitoring, tooling, and reporting
• Foster a security-first culture by partnering with dev teams and platform engineers to balance key performance and security.
• Lead continuous product and application security reviews.
• Perform application security testing using SAST, DAST, IAST and RASP tools.
• Combine automated and manual product and application testing methods.
• Engage with internal and external teams performing vulnerability and penetration testing.
• Document security findings, outline remediation options and oversee mitigation.
• Focus on automation to aid in efficiencies with both testing and remediation of findings.
• Collaborate with developers and product managers for continuous security validation.
• Recommend controls where there are security gaps and track through to implementation and validation.
• Regularly monitor the threat landscape and assess the potential impact to products.
• Attend and participate in product meetings addressing security requirements for new and existing products.
• Serve as the primary management point of contact for product cybersecurity requirements, initiatives and escalations.
• Evaluate the existing product ecosystem and propose product changes to security leadership and engineering.
• Leverage security standards and implementation configurations, as well as common security frameworks.
• Uphold software bills of materials across products.
• Attend internal and external education and training sessions, with a focus on product security principles.
• Possess a general understanding of bug bounty programs and their management.
• Align with architects and development teams for a mission of secure design.
• Actively participate in security team meetings that facilitate secure product design.
• Possess general knowledge of product security that meets compliance, privacy laws and regulatory requirements.
• Focus on security process efficiencies, prioritizing advanced tasks to keep pace with product demand.
• Collaborate with team members and align with security, audit and risk management leadership.
• Perform other duties as assigned.

Skills and Experience we value

• Bachelor's Degree in Computer Science or equivalent experience
• Highly technical and analytical experience, with a proven deep background (five-plus years preferred in addition to cybersecurity) in software engineering.
• 7+ years experience in software development
• 7+ years experience in a Security Engineering role with a specific focus on vulnerability management and secure coding

What would make you really stand out

• One of the security certifications, such as CISSP, GSEC, Azure Architect and/or Azure Security Engineer/Technologies preferred
• Background in automated program analysis
• Experience with .NET and C#
• DevOps experience with infrastructure, cloud and application pipelines
• Experience running operational teams
• Experience in Threat Modeling using STRIDE, PASTA, or similar
• Experience with open-source (e.g. Kali Linux) and commercial penetration testing tools
• Expertise in identifying and remediating OWASP Top Ten vulnerabilities and beyond
• Expertise with Azure security services as well as Docker/Kubernetes
• Minimum 1 year of experience with active compliant environments, eg PCI-DSS, HITRUST, FEDRAMP, ISO 27001, or similarly regulated industries.
• Experience with SAST, DAST, IAST and RASP.
• Five-plus years of experience with public cloud providers (AWS, Azure, GCP).
• Experience with container security, such as Docker and Kubernetes.
• Knowledge of CI/CD platforms, such as Jenkins and CircleCI.
• Experience building prototypes of tools and exploits, as well as conducting vulnerability and penetration tests.
• Proficiency in software development (.NET, Java, Rust, Golang, Python, C++, Ruby, etc.).
• Experience with security requirements for APIs

What's in it for you

Dayforce is fueled by the diversity of our talented employees. We are an equal opportunity employer and consider and embrace ALL individuals and what makes them unique. We believe our employees should be happy and healthy, with peace of mind and a sense of fulfillment.

We encourage individuals to apply based on their passions.

Dayforce encourages personal and professional growth. We offer excellent time away from work programs, comprehensive wellness initiatives and recognition through competitive pay and benefits.

With a commitment to community impact, including volunteer days and our charity, Dayforce Cares we provide opportunities for you to thrive both in your career and personal life. Our focus is not just on your job but on supporting you to be the best version of yourself.

Fraudulent Recruiting

Beware of fraudulent recruiting. Legitimate Dayforce contacts will use an or email address. We do not request money, checks, equipment orders, or sensitive personal data during the recruitment process. If you have been asked for any of the above, or believe you have been contacted by someone posing as a Dayforce employee, please refer to our fraudulent recruiting statement found here: