Senior Application Security Engineer

About us:

Spring Financial is revolutionizing financial access for Canadians, providing smart credit-building, mortgage, and lending solutions. Millions struggle with high-interest debt and limited financial options—we're here to change that.
As one of Canada's fastest-growing fintech companies, annually we help 1 million customers explore their financing options with ease—online, via text, or over the phone. Our dynamic, innovative team thrives on collaboration, growth, and making a real impact.
To learn more about our products please visit our website here:

NOTE: This is a full-time, permanent, hybrid position in downtown Vancouver, with 3 set days in the office and 2 WFH.

Job Overview:

As a Senior Application Security Engineer at Spring Financial, you will lead technical efforts to secure the software systems that power our business. You are responsible for driving security best practices across our engineering organization — embedding secure development into how we design, build, and deploy software.

You'll work closely with product engineering, DevOps, platform, and compliance teams to identify risks, implement controls, and help teams ship secure, reliable features. You bring hands-on expertise in secure coding, threat modeling, and modern appsec tooling, along with the communication skills to influence cross-functional teams.

This is primarily an individual contributor (IC) role, but may include leading a small team of engineers or acting as the technical owner for application security across the organization. You are expected to lead by example — through strong technical execution, collaborative problem-solving, and a practical, risk-aware approach to security.

You'll play a critical role in scaling our secure development lifecycle, supporting audit and compliance needs (e.g. SOC 2), and ensuring Spring's applications can evolve quickly without compromising trust.

What you'll do:

• Own Spring's application security strategy and roadmap — aligning initiatives with risk priorities, business needs, and platform evolution.
• Lead the definition and rollout of secure development practices (e.g., threat modeling, secure code review, dependency management, static/dynamic analysis).
• Partner with engineering teams to identify and remediate security risks across applications, services, APIs, and cloud environments.
• Define and manage Spring's SDL (Secure Development Lifecycle), embedding security reviews, tooling, and guardrails into CI/CD workflows.
• Support Spring's compliance posture, including SOC 2 readiness, audit participation, and evidence gathering for application-level controls.
• Own or contribute to incident response efforts for application-related vulnerabilities or exposures.
• Evaluate and implement security tools and services (e.g., SAST, DAST, SBOM, secrets scanning, WAF, CSPM) that improve detection and resilience.
• Collaborate with platform, DevOps, and IT teams on access control, secret management, and zero-trust enforcement.
• Mentor and grow the appsec team, supporting both technical depth and cross-functional influence.
• Support audit and compliance efforts by providing evidence, documentation, and system-level controls related to application security.
• Act as a subject matter expert for product and engineering teams on secure architecture, data protection, and third-party risk.
  
• Track and communicate security posture through clear metrics, risk registers, and executive-level reporting.

What You Should Already Have:

• 5+ years of experience in application security, software engineering, or security engineering roles, including at least 2 years in a leadership capacity.
• Deep knowledge of web and cloud application security principles, OWASP Top 10, and secure coding best practices.
• Experience implementing SDL processes and integrating security into CI/CD pipelines and agile environments.
• Familiarity with threat modeling frameworks (e.g., STRIDE, PASTA) and secure architecture reviews.
• Familiarity with cloud-native architecture (e.g., AWS, microservices, containerization, API gateways).
• Hands-on experience with modern appsec tools (e.g., Snyk, GitHub Advanced Security, Burp Suite, Semgrep, Checkov, or similar).
• Understanding of common identity, access, and secrets management patterns (e.g., OAuth, JWT, Vault, AWS IAM).
• Strong communication and collaboration skills; able to influence without authority and align across engineering and business stakeholders.
• Experience supporting compliance initiatives such as SOC 2, PCI DSS, or ISO 27001 is a plus.

What We Will Give You: 

• Competitive annual salary ranging from $131,500 to $155,000, reflective of experience and impact.
• Comprehensive benefits package, including extended health, dental, and vision coverage — with 100% of monthly premiums covered by the Spring.
• GRSP matching program to support your long-term financial goals.
• Transit-Friendly Employer (Transit allowance).
• A modern, collaborative workspace in the heart of downtown Vancouver.
• Ongoing career growth opportunities.
  
• This position is hybrid and requires in-office presence; relocation assistance is available for the hired candidate (if out of province)

This is a truly exciting time to join Spring Financial and we are looking forward to doing great things together

---

Please note: Upon applying, our Talent Acquisition team will review your resume. If you qualify, we will reach out to learn more about your experience and answer any questions you may have about the role, benefits, compensation, and more. Due to high application volume, we may not be able to respond to everyone.

Thank you for your interest We appreciate your time and look forward to reviewing your application