Title: Application Security Analyst
Department: Information Technology
Location: 6300 Steeles Ave West, Woodbridge
Total Potential Compensation: $95,000-$115,000
Position Summary:
As an Application Security Analyst, you will be responsible for supporting and operating core security capabilities across 407 ETR’s digital environment, with a primary focus on application security. This includes promoting secure-by-design practices throughout the SDLC and supporting the integration and operation of security tooling and automation, such as SAST, DAST, SCA, ASPM, and penetration testing services. You will work closely with Architecture, DevOps, QA, Product teams, and external partners to embed security controls into requirements, design, development, testing, and release activities, and track and manage security vulnerabilities through remediation. This role also contributes to improving the overall cyber and technology risk posture, with measurable improvements reflected in the Technology and Cyber Risk Indices (TRI/SRI).
Hours of work are onsite, Monday to Friday, 7.5 hours daily, or as required. After-hours support and on-call duties may be required for priority releases or security incidents.
Position Responsibilities:
AppSec Strategy & SDLC Integration
Lead threat modeling at design time for new and changed services (web, mobile, APIs, microservices) and ensure mitigations are implemented prior to coding.
Define and operate SDLC security gates (pre‑commit, build, test, deployment) with policy‑driven thresholds (e.g., fail on Critical/High) and exceptions governance.
DevSecOps Tooling & Automation
Implement and tune SAST, DAST, SCA and ASPM integrations within CI/CD, ensuring coverage, accuracy, and developer‑friendly feedback loops; coordinate PTaaS cycles aligned to release schedules
Partner with DevOps to secure build pipelines, artifacts, and environments (e.g., IaC scanning, container image hardening, secrets management, SBOM generation and validation)
Findings Management & Risk Reporting
Report AppSec posture using TRI/SRI aligned metrics (e.g., unresolved criticals, mean‑time‑to‑remediate, coverage, policy conformance)
Secure Engineering Enablement
Additional Technical Experience
Experience with Data Loss Prevention (DLP) technologies and controls, including policy configuration, monitoring, and incident investigation, is required
Compliance & Vendor Management
Ensure controls align with PCI DSS Secure SDLC, ISO 27001/27002, and NIST DevSecOps guidance (e.g., SP 800‑204D); support internal/external audits and evidence collection
Note: This job description is not intended to be all-inclusive. The employee may perform other related duties, as assigned, to meet the ongoing needs of the organization.
Qualifications
Minimum 5+ years of experience in IT Security, with strong hands-on experience in Security Operations.
College Diploma or University Degree in Computer Science, Engineering, or related field.
EDR platforms (e.g., endpoint containment, alert triage, investigation).
NDR technologies and network-based threat detection.
Security Incident Response and Investigation.
Strong understanding of attacker techniques and defensive controls (MITRE ATT&CK).
Experience working in regulated or audit-driven environments.
Strong understanding of authentication, authorization, MFA, RBAC, and privileged access concepts.
SSO Authentication: Experience implementing and supporting SSO solutions for secure user access across enterprise applications.
Preferred Qualifications
Knowledge of standing up a mature Application Security framework
Experience with enterprise SOC tooling including SIEM, EDR, NDR, SOAR.
Experience operating security controls in hybrid (on‑prem and cloud) environments.
Familiarity with Security Risk Index (SRI), cyber risk metrics, or risk-based reporting.
Knowledge of network architecture and segmentation concepts.
We are actively seeking to fill this role as it is a current vacancy.
About 407 ETR
Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometres from Burlington in the west to Pickering in the east.
407 International Inc. is the sole shareholder of 407 ETR and is owned by:
Cintra Global S.E., a subsidiary of Ferrovial S.A. (48.29%)
Canada Pension Plan Investment Board (CPP Investments) and other institutional investors with non-controlling interests (44.20%)
Public Sector Pension Investment Board (PSP Investments) (7.51%)
Learn more at 407etr.com
Note: At 407 ETR, we are committed to fostering a diverse, equitable, and inclusive work environment. We value the unique perspectives and backgrounds of all individuals, and we firmly believe that our individual differences make us stronger as a whole.
Our commitment to inclusion extends beyond recruitment and encompasses an inclusive workplace culture through raising awareness, ongoing training, and encouraging feedback. We aim to create a safe and supportive environment where all employees can thrive.
Accommodation for disabilities or other grounds protected by human rights legislation are available upon request for candidates taking part in all aspects of the employment selection process.