Senior Software Security Engineer

As a Senior Software Security Engineer, you will play a pivotal role in safeguarding our organization's digital assets by designing, implementing, and maintaining robust security solutions. You will focus on application security, vulnerability management, cloud security, vendor security, and ensuring security and privacy by design principles are embedded throughout the software development lifecycle. You will work closely with cross-functional teams, including Engineering, DevOps, and Product, to influence and execute security roadmaps and foster a culture of security-first thinking.

Key responsibilities:

AppSec/Product Security

• Collaborate with engineering teams to promote secure coding practices and integrate security tools into the CI/CD pipelines.
• Collaborate with product and engineering teams to ensure security and privacy considerations are integrated into every phase of the SDLC.
• Collaborate on development projects to build or enhance security features, create security roadmaps aligned with best practices and customer expectations, and guide product owners on threat modelling and attack surface analysis.
• Perform static and dynamic application security testing (SAST/DAST) and perform vulnerability assessments to ensure secure development and delivery.
• Define and embed security requirements throughout the development lifecycle, ensuring they are effectively implemented and aligned with organizational security standards.
• Review application and system designs to ensure security requirements are appropriately traced, validate implementation plans, and recommend improvements to enhance the overall security posture.
• Provide security guidance in implementing enterprise security technologies (such as DNS, Email, and Secure file transfers).
• Ensure the effective operation of enterprise security tools and technologies, including 2FA/MFA for resource access, SIEM/SOAR/EDR, and endpoint security.
• Certificate lifecycle management; Security configuration and vulnerability assessment.

Vulnerability

• Facilitate, promote, and perform secure code reviews to identify and mitigate vulnerabilities effectively.
• Identify, assess, and prioritize vulnerabilities across infrastructure, applications, and cloud environments, managing triage and resolution of security defects in collaboration with engineering teams.
• Establish processes and capabilities to respond effectively to externally reported product vulnerabilities, ensuring timely mitigation and stakeholder communication.
• Develop detailed risk reports and remediation plans, while managing third-party component vulnerabilities and implementing a robust program for external evaluation, including a bug bounty strategy.
• Assist in security vulnerability identification and management.

Architecture

• Build and maintain a consolidated security architecture roadmap for Product, SaaS Operations and Enterprise (internal Information Technology systems and 3rd party vendors).

Cloud

• Assess/review cloud security measures, ensuring proper configuration and use of CSPM and CWP tools across environments like AWS.

Risk and Compliance

• Assist in investigating security breaches, misuse of computer resources, and other violations of information security policies and technology standards.
• Evaluate third-party vendors to ensure their security offerings align with our organization's requirements and standards.
• Manage compliance with external security standards (ISO-27001, SOC 2 etc.) and coordinate internal resources for external audits as needed.
• Lead threat modelling sessions to identify potential risks in system designs.
• Assist Senior Management in defining the overall information security strategy.
• Develop frameworks and best practices to improve the organization’s security posture.

Qualifications:

Don’t meet every single requirement? Studies have shown that women and people of color are less likely to apply to jobs unless they meet every qualification. At Affinity, we are dedicated to building a diverse, inclusive, and authentic workplace, so if you’re excited about this role, but your past experience doesn’t perfectly align with the qualifications above, we encourage you to apply anyways. You may be just the right candidate for this or other roles.

Required:

• You have 8+ years of experience working in backend software engineering, with at least 5+ years of acting as a senior security engineer, leading complex, cloud software security projects across teams.
• Experience performing source code-enabled security assessments, root cause, and adjacency analysis.
• Thorough knowledge of OWASP top 10 and other standards like NIST SP 800-64.
• You have experience writing server-side code leveraging modern OOP practices using Ruby, and PostgreSQL.
• Software development experience in one of the following core languages: Ruby, Java, Javascript, or Python
• Strong communication and collaboration skills to work effectively with cross-functional teams and influence product security.
• You're excited to work collaboratively within engineering and as part of a cross-functional team.

Nice to have:

• Security certification(s): e.g. CISSP, SSCP, CSSLP, ISSAP, etc.
• Adequate knowledge of web-related technologies (web applications, web services, and service-oriented architectures) and network and web-related protocols
• BS degree in Computer Science or a related field.

How we work:

Our culture is a key part of how we operate as well as our hiring process:

• We iterate quickly. As such, you must be comfortable embracing ambiguity, be able to cut through it, and deliver incremental value to our customers each sprint.
• We are candid, transparent, and speak our minds while simultaneously caring personally with each person we interact with.
• We make data-driven decisions and make the best decision for the moment based on the information available.

Join us in enabling every professional on the planet to succeed by harnessing the power of their relationships.

If you’d want to learn more about our values click here.

What you’ll enjoy at Affinity:

• We live our values as playmakers, obsessed with learning, care personally about our colleagues and clients, are radically open-minded, and take pride in everything we do.
• Health Care coverage and flexible personal & sick days. We want our team to be happy and healthy :)
• We provide an annual budget for you to spend on education and offer a comprehensive L&D program – after all, one of our core values is that we’re #obsessedwithlearning!
• We support our employee’s overall health and well-being and reimburse monthly for things such as; Transportation, Home Internet, Meals, and Wellness memberships/equipment.
• Virtual team building and socials. Keeping people connected is essential.

Please note that the role compensation details below reflect the base salary only and do not include any equity or benefits. This represents the salary range that Affinity believes, in good faith, at the time of this posting, that it will pay for the posted job.

A reasonable estimate of the current range is $113,800 - $187,000 CAD. Within the range, individual pay depends on various factors including geographical location and review of experience, knowledge, skills, abilities of the applicant.