Application Security Engineer

Liberating Money

We are looking for a highly skilled Application Security Engineer to own the security of our software ecosystem. You will not be writing feature code all day; instead, you will be the bridge between security and engineering.

We are specifically looking for a "Builder-turned-Breaker". Someone who started their career as a Software Engineer and transitioned into Application Security (or Pentesting). Because you have built software before, you understand the pressures of the SDLC, and you know exactly how to guide our engineers toward secure architecture without blocking innovation.

You will own our AppSec tooling (SAST/DAST/SCA) and act as the primary gatekeeper for critical code changes, specifically regarding new API routes and services.

• Own the AppSec Pipeline: Implement, tune, and manage automated security tools (SAST, DAST, SCA, Secret Scanning) within our CI/CD pipelines. Ensure these tools provide high-value signals, not noise.
• High-Value Code Reviews: Perform manual code reviews on high-risk PRs, with a specific focus on changes that expose new API routes, network services, or authentication logic.
• Vulnerability Management & Remediation: Triage results from scans and bug bounties. While you won't write feature code, you must be capable of jumping into the codebase to write patches, create unit tests for regressions, or help a developer structure a fix.
• Standardize Security Telemetry: Design and enforce structured logging standards across the application stack. You will teach developers what to log (e.g., auth failures, privilege escalation, sensitive data access) and how to log it so that our SecOps/SRE teams can successfully trace user activity during an incident.
• Security Architecture: Consult with engineering teams during the design phase (RFCs) to ensure security controls are baked in from day one (Threat Modeling).
• Developer Enablement: Act as a mentor to the Full Stack team. Translate complex security concepts into practical coding advice (e.g., "Here is how we should handle this input validation in TypeScript").
• Cloud & Infrastructure Security: Partner with DevOps to maintain WAF rules and ensure cloud-native services (GCP, Cloud Armor) are configured correctly.

• The "Dev-First" Background: You must have prior professional experience working as a Software Engineer (Backend or Full Stack) before transitioning into Security. You need to understand how code is built to secure it.
• AppSec Expertise: 3+ years of experience specifically in Application Security, Penetration Testing, or Product Security.
• Code Fluency: Ability to read and understand complex codebases (ideally JavaScript/TypeScript) to identify logic flaws that automated tools miss.
• Tooling Proficiency: Hands-on experience configuring and managing tools like GitHub Advanced Security, Burp Suite, OWASP ZAP, Snyk, or similar in a CI/CD environment.
• API Security: Deep understanding of REST, GraphQL, and tRPC security patterns. You know what to look for when a developer opens a new route.
• Observability & Forensics: Experience designing logging patterns that support incident response. You understand the difference between "debug logs" and "audit logs" and can guide engineers to implement the latter.
• Communication: You can explain why a vulnerability matters to the business and how to fix it to a Junior Developer.

• Experience transitioning from a developer role to a dedicated security role (e.g., internal transfer, self-taught pentesting).
• Offensive security experience (Bug Bounties, CTFs, OSCP).
• Experience with GCP and Kubernetes security.
• Experience working in regulated industries (FinTech, SOC2, ISO

The pay range for this role is:

150, ,000 CAD per year(Remote (Canada))