The Canadian Digital Service (CDS) is tasked with changing how the federal government designs and delivers digital services, to reduce the risk of product failure, lower costs, ensure user privacy and system security, and, above all, improves people’s lives by putting their needs and concerns front and center.
We believe every experience Canadians have with their government should meet or exceed their reasonable modern expectations that digital services be safe, fast, easy, transparent, and accessible. Working in the open, we’re building capacity across the government for better service delivery. And we need you. We’re hiring a Senior Application Security Developer. While we have locations in Ottawa, Montreal, Toronto, and Kitchener; we largely work distributedly and equally value candidates in other parts of Canada.
This position reports to the Head of Platform Core Services. We work in small multidisciplinary agile teams utilizing a modern, forward-thinking approach to security. We focus on self-service tooling, proactive security monitoring and providing the education required to solve cross-cutting cyber security challenges across CDS. Senior Application Security Developers are classified as IT-04 or IT-05 (previously CS-04/CS-05) in the Computer Systems group.
You’ll need to accomplish the following things:
As a Senior Application Security Developer you’ll play a leading role in driving the direction of our security engineering capability and shape the tools that we create, ensuring they’re reliable, supportable, maintainable and aligned to industry best standards.
You will also:
- plan, prioritize and deliver security tools and solutions
- lead application security reviews and threat modeling, including code review and dynamic testing
- guide and advise product development teams as subject matter expert in the area of application security
- correctly balance security risk and product advancement
- maintain and participate in operational support rotas, including our out-of-hours on-call rota
We’re interested in people who:
- understand that security isn’t just a technology problem
- have successfully delivered effective technology solutions that reduced risk and improved the security of an organization
- Exposure to DevOps (Terraform, Github) and DevSecOps tools & Security Automation frameworks (SAST, DAST, IAST, SCA, Pentesting, Manual Code reviews, SSDLC, WAF and Bot Protection tools tuning and Hardening, Threat Modeling)
- Knowledge of AWS
- have an active interest in developing people, both personally and professionally
- can effectively operate at a strategic level in setting goals and long-term roadmaps, as well as in a technical hands-on capacity
We’ll evaluate you based on:
We will be looking at your experience, career history and achievements that are relevant to the specific job role. We may assess your ability, strength, experience, technical/specialist skills and behaviors.
- strong understanding and experience with common security libraries, security controls, and common security flaws
- strong understanding of the web’s architecture
- strong development or scripting experience and skills. You’re able to significantly and effectively contribute to the product and its security