Senior Application Security Engineer

Ottawa, Ontario, Canada | IT & Security

Apply Now

Veem empowers small and medium businesses who spend too much time and money dealing with inefficient payment systems. Our transparent, relationship-based payments model makes it easy to build trust with your vendors, contractors and customers by providing a quick and seamless payable and receivable process. We make the process even easier for these clients by supporting integration with major accounting software including QuickBooks, Netsuite, and Xero. Backed by top investors such as Truist Ventures, Google Ventures, Goldman Sachs, Kleiner Perkins and a global syndicate of tech-forward banks based in the US, Japan, China, Australia, and the Middle East, Veem is a fast-growing financial technology company that is changing the way companies pay and get paid.

As a Product/Application Security Engineer at Veem, you will play an important role in maturing a nascent security practice and improving the security of Veem’s products. In this role you will collaborate closely with designers, engineers, analysts, product managers and other cross-functional team members within the organization to ensure that our products are designed with privacy, security, compliance - without compromising on our commitment to user delight. Veem considers this position a key to building world-class products that embed security into every aspect of the development process, integrates automated security testing, and maintains a strong security compliance posture.

Responsibilities

  • Participate in design discussions with product and engineering teams, advocate for secure design/practices, and relay unvarnished information to the rest of the security team from these discussions
  • Take charge of identifying and remediating security flaws in our application stack, in collaboration with members of the engineering team.
  • Increase test coverage in sensitive areas of our codebase and mature Security Testing and Signoff (SAST, SCA, IAST, DAST, RASP) that help us continually verify that our security program is working.
  • Instill confidence within product and engineering teams to build in security and privacy by design. 
  • Help implement Secure Software Development Lifecycle (SSDLC) practices and improve automation
  • Perform security tasks including threat modeling, developer training, static code analysis, dynamic runtime fuzzing, software security testing and participate in code reviews
  • Work on fixing vulnerabilities, building in security telemetry/instrumentation, and adding security features to our products/applications.
  • Work with the product and engineering teams to prioritize fixes for vulnerabilities and release these fixes with minimal disruption, factoring in dependencies.
  • Design tooling and frameworks to make incorporation of security best practices into our codebase easier for engineers.
  • Help product managers prioritize roadmap items in order to balance security and business risks and design Security as a Feature in Product
  • Identify cross-cutting security concerns and work with security and engineering teams to develop common solutions and infrastructure
  • Integrate automated security testing (including both static and runtime) capabilities into an evolving CI-CS-CD program.
  • Update, maintain, and deploy new training programs for new engineering hires, annual certification, and expert-level developers
  • Develop and deliver consistent automated metrics, KPIs and KRIs aligned to OKRs, covering key aspects of the software security program.
  • Take charge of identifying and remediating security flaws in our application stack,
    increase test coverage in sensitive areas of our codebase, and implement penetration testing tools that help us continually verify that our security program is working.
  • Manage scope, scheduling, and remediation of vulnerabilities found as part of pen testing.

Knowledge, Skills & Abilities

  • Ability to perform security triage and analysis of security flaws, including Common Vulnerability Scoring System (CVSS) metrics scoring, Common Weakness Enumeration (CWE) categorization, and Common Vulnerabilities and Exposures (CVE) assignment processes
  • Working knowledge of Open Web Application Security Project (OWASP) Top 10 Web Application Security Risks
  • Knowledge of Industry Security Standards , Framework and Compliance such as PCI-DSS, C2M2, NIST, ISO27001, SOC2, GDPR
  • Work experience in Payments industry shall be considered an asset
  • Professional experience with web applications and microservice architecture shall be considered an asset

Requirements

  • Bachelor’s degree in Software Engineering or related field,
  • 5+ years experience delivering application security programs or combination of higher education, certifications & experience.
  • Software Application Development experience
  • Sound knowledge of all procedures, standards, and regulations for authorization and authentication, applied cryptography, and security vulnerabilities
  • Expert understanding of product engineering and expert knowledge of coding, in Java.
  • At least 5 years development experience in Java and Springboot a must
  • Strong familiarity with multiple software security paradigms including MSSDL, BSIMM, and CSSLP.
  • Working knowledge of all vulnerability classes on the OWASP Periodic Table of Vulnerabilities.
  • Requires the ability to function in a fast-paced environment, be available off hours as needed by business priorities, self-starter and able to work well under stress
  • Excellent interpersonal communication skills and organizational Savvy
  • Indispensable - A sense of humour!

COVID-19 considerations: Office has masking and social distancing protocol in place. Subject
to legal restrictions, all employees will be required to provide proof of vaccination to be
regularly in the office.

Perks

  • Competitive Salary
  • Comprehensive Benefits Package (Health, Dental, Medical, Vision) from Day 1
  • Group RRSP Plan (after 3 months)
  • 3 weeks vacation
  • Friday afternoon unwind
  • Professional Development (Growth - Learning & Development)