Application Security Specialist - 6-Month Contract (Hybrid)

Central 1 cooperatively empowers credit unions and other financial institutions to deliver banking choice to Canadians. Central 1 provides critical services at scale to enable a thriving credit union system. We do this by collaborating with our clients, developing strategies, products and services to support the financial well-being of their more than 5 million diverse customers in communities across Canada. For more information, visit www.central1.com.

What we offer:

• Work-life flexibility 
• Hybrid work environment 
• One time allowance to set up your office for remote first employees
• Variable annual incentive plan
• Generous annual vacation allotment
• Top-notch flexible benefits plan including family building and gender affirmation
• Retirement Plan, matched contributions at 6%
• Access to a learning platform and educational assistance support
• Access to a virtual wellness platform
• Career development opportunities
• Wellness Flex Fund to support personal interest and activities
• Day off to volunteer in your community and other paid time off options
• Corporate discounts

*subject to employment agreement

Job Summary:

The Application Security Specialist will have extensive experience in full stack web applications, API, and/or mobile development. They will understand and be comfortable articulating the principles of secure coding to the Development and Technology teams within Central 1, and enjoy identifying, and remediating application vulnerabilities for breakfast.

The ideal candidate is expected to be a champion for good, and sustainable development practices to improve the security posture of Central 1’s application portfolio by supporting teams to build stable, mature and secure applications.

The candidate will apply their passion for application security through the direct application of their skills in the areas of threat modelling, secure coding methodology and application vulnerability testing, while evangelizing secure development and design as key components to overall application health, stability, and the success of Central 1 as an organization. 

What you`ll be doing: 

• Facilitate threat modelling and risk assessments at the product, project, and individual team level. 

• Participate in the planning and design of enterprise security architecture 

• Participate in the creation of enterprise security documents (architecture blueprints, policies, standards, baselines, guidelines and procedures) 

• Provide oversight and contribute to the design and deployment of application solutions within Central 1 to ensure they are carried out following C1’s SOC 2 Type 2 Process. 

• Maintain up-to-date detailed knowledge of the information and application security industry including awareness of new or revised security solutions, improved security processes or development practices, and the development of new attacks and threat vectors. 

• Recommend additional security solutions or enhancements to existing security solutions to improve overall enterprise security. 

• Develop and implement security testing strategies for SAST, DAST, and Penetration Testing. 

• Develop CI/CD pipelines to facilitate automated security testing. 

• Perform Penetration testing or develop exploits for testing as required. 

• Participate with investigations into problematic activity, triage vulnerable application components, and validate fixes provided to mitigate existing vulnerabilities. 
   

What you`ll have: 

• A STRONG interest in secure software development, exploit development, or good development hygiene in general.

• Post Secondary Credentials with an IT or Software development focus or equivalent work experience. 

• 5+ years software development or QA related work experience. 

• 5+ years experience with one or more of Java, Python, PHP, C++, C#, or Objective C. 

• 2+ years spent working in a web API development function. 

• 2+ years experience developing secure coding practices, identifying and remediating weak code, and building exploits to target weak code or verify security fixes. 

• Knowledge threat modelling and risk mitigation strategies.

• 3+ years experience deploying and supporting complex web application environments. 

• A detailed understanding of OWASP Top 10 and SANS Top 25 and the ability to recognizes and discuss these vulnerabilities in code. 

• A strong understanding of web-based communication protocols such as HTTP, TLS, Web Sockets, and SOAP.  

• A strong understanding of API standards and testing tools such as Swagger/OpenAPI, Postman, or WSDL.  

• Experience developing applications in the financial services environment.  

• Working knowledge of Linux or BSD based operating systems, and shell scripting.   
   

Nice to have:  

• Experience with PortSwigger Burp, OWASP ZAP, or another web application testing platform.  

• Experience with using Security testing tools such as tool sets provided in Kali Linux or Metasploit.  

• Experience developing or modifying Metasploit modules.  

• Experience with threat modelling techniques such as STRIDE, DREAD, or PASTA.  

• Experience with assessing and scoring identified risks using methodologies such as the OWASP risk matrix.  

• Experience with performing full Web Application Security (Penetration) Tests from start to finish including report development and delivery.  

• Experience developing applications in the financial services environment.  

• Experience using SIEM/Loging Platforms such as Splunk, ELK Stack, DataDog, New Relic, or Dynatrace.  

• Understanding of IP, TCP/IP, and other network administration protocols.  

• Understanding of Windows Server, Windows Desktop, and MacOS operating systems.  

• Familiarity with incident management, issue tracking systems, and ISO 27001.  

• One or more certifications in Application Security such as GPEN, OSCP etc.  

Hourly rate: $75.00 - $90.00/hour

The hourly rate represents the job rate determined for the successful candidate who is fully competent in the role. The actual salary will vary depending on market conditions and relevant job-related factors such as knowledge, skills, qualifications, experience, and education/training.
 

#LI-Hybrid

Central 1 is an equal opportunity employer and committed to building an inclusive workforce by creating an environment where everyone feels like they belong and has the opportunity to be successful. We welcome all applicants to join our diverse workforce and we will provide an accessible candidate experience including, but not limited to accommodations to interview sites and alternate formats upon request to our Recruitment team.