Application Security Analyst

Ontario 407

$95K — $115K *
Information Technology
5 - 7 years of experience
Job Overview by Ladders

Qualifications

  • 5+ years in IT Security, focusing on Security Operations
  • College Diploma or University Degree in Computer Science or related field
  • Hands-on experience with EDR platforms
  • Proficiency in NDR technologies and network threat detection
  • Strong understanding of MITRE ATT&CK techniques and defensive measures
  • Experience in regulated or audit-driven environments
  • Solid grasp of authentication and authorization concepts, including MFA and RBAC

Responsibilities

  • Embed security requirements into development cycles
  • Lead threat modeling for new and modified services
  • Define and manage SDLC security gates
  • Implement and optimize security tooling within CI/CD
  • Secure build pipelines and environments in partnership with DevOps
  • Manage findings from security assessments and track remediation
  • Provide secure coding guidance and support for developers

Benefits

  • Collaborative work environment focusing on security integration
  • Opportunity to lead and shape security practices
  • Engagement with diverse teams across the organization
  • Exposure to a range of security tools and learning opportunities
  • Potential for career growth within an established organization
Full Job Description
Title: Application Security Analyst

Department: Information Technology

Location: 6300 Steeles Ave West, Woodbridge

Total Potential Compensation: $95,000-$115,000

Position Summary:

As an Application Security Analyst, you will be responsible for supporting and operating core security capabilities across 407 ETR's digital environment, with a primary focus on application security. This includes promoting secure-by-design practices throughout the SDLC and supporting the integration and operation of security tooling and automation, such as SAST, DAST, SCA, ASPM, and penetration testing services. You will work closely with Architecture, DevOps, QA, Product teams, and external partners to embed security controls into requirements, design, development, testing, and release activities, and track and manage security vulnerabilities through remediation. This role also contributes to improving the overall cyber and technology risk posture, with measurable improvements reflected in the Technology and Cyber Risk Indices (TRI/SRI).

Hours of work are onsite, Monday to Friday, 7.5 hours daily, or as required. After-hours support and on-call duties may be required for priority releases or security incidents.

Position Responsibilities:

AppSec Strategy & SDLC Integration

  • Embed security requirements and non-functional controls into epics, features, and user stories; maintain security traceability throughout the lifecycle.


  • Lead threat modeling at design time for new and changed services (web, mobile, APIs, microservices) and ensure mitigations are implemented prior to coding.


  • Define and operate SDLC security gates (pre-commit, build, test, deployment) with policy-driven thresholds (e.g., fail on Critical/High) and exceptions governance.


DevSecOps Tooling & Automation

  • Implement and tune SAST, DAST, SCA and ASPM integrations within CI/CD, ensuring coverage, accuracy, and developer-friendly feedback loops; coordinate PTaaS cycles aligned to release schedules


  • Partner with DevOps to secure build pipelines, artifacts, and environments (e.g., IaC scanning, container image hardening, secrets management, SBOM generation and validation)


  • Work with platform teams to evolve pipelines consistent with the 407 ETR DevOps framework and future-state CI/CD models


Findings Management & Risk Reporting

  • Operate a unified findings intake (ASPM as system of record) for automated tool outputs and manual assessments; triage, prioritize, and track remediation to closure


  • Apply a risk-based SLA model (severity, exploitability, asset criticality) and escalate overdue items; publish weekly triage outcomes and monthly KPIs.


  • Report AppSec posture using TRI/SRI aligned metrics (e.g., unresolved criticals, mean-time-to-remediate, coverage, policy conformance)


Secure Engineering Enablement

  • Provide secure coding guidance, sample patterns, and remediation support for developers; deliver targeted training and office hours


  • Collaborate on architecture reviews, pen-test scoping, and change risk assessments for web and mobile (using established change-type workflow)


  • Contribute to AppSec policies/standards and improve documentation (playbooks, runbooks, "definition of done" security criteria)


Additional Technical Experience

  • Experience with Data Loss Prevention (DLP) technologies and controls, including policy configuration, monitoring, and incident investigation, is required


  • Experience with Single Sign-On (SSO) integrations and identity federation protocols is an asset.


Compliance & Vendor Management

  • Ensure controls align with PCI DSS Secure SDLC, ISO 27001/27002, and NIST DevSecOps guidance (e.g., SP 800-204D); support internal/external audits and evidence collection


  • Manage AppSec vendor relationships and deliverables per the Application Security Managed Service scope (ASPM, PTaaS, continuous monitoring)


Note: This job description is not intended to be all-inclusive. The employee may perform other related duties, as assigned, to meet the ongoing needs of the organization.

Qualifications
  • Minimum 5+ years of experience in IT Security, with strong hands-on experience in Security Operations.
  • College Diploma or University Degree in Computer Science, Engineering, or related field.
  • EDR platforms (e.g., endpoint containment, alert triage, investigation).
  • NDR technologies and network-based threat detection.
  • Security Incident Response and Investigation.
  • Strong understanding of attacker techniques and defensive controls (MITRE ATT&CK).
  • Experience working in regulated or audit-driven environments.
  • Strong understanding of authentication, authorization, MFA, RBAC, and privileged access concepts.
  • SSO Authentication: Experience implementing and supporting SSO solutions for secure user access across enterprise applications.

Preferred Qualifications
  • Knowledge of standing up a mature Application Security framework
  • Experience with enterprise SOC tooling including SIEM, EDR, NDR, SOAR.
  • Experience operating security controls in hybrid (on-prem and cloud) environments.
  • Familiarity with Security Risk Index (SRI), cyber risk metrics, or risk-based reporting.
  • Knowledge of network architecture and segmentation concepts.


We are actively seeking to fill this role as it is a current vacancy.

Similar Jobs

More Jobs at Ontario 407

More Information Technology Jobs

Find similar Application Security Analyst jobs: