Security Engineer, Application Security

About Us:

With $295.0 billion of gross assets under management, as of March 31, 2025, British Columbia Investment Management Corporation (BCI) is the provider of investment management services for British Columbia’s public sector and one of the largest asset managers in Canada. BCI seeks investment opportunities around the world and across a range of asset classes that convert savings into productive capital. Our investment returns play a significant role in helping our institutional clients build a financially secure future for their beneficiaries.

Headquartered in Victoria, British Columbia, and with teams spanning Vancouver, New York, London, and Mumbai.

BCI integrates environmental, social, and governance (ESG) factors into all investment decisions to meet clients' risk and return requirements. Our people shape employee-focused initiatives, creating a strong culture. To learn more about our culture and values, visit our page.

POSTING CLOSE DATE: June 2, 2026

BCI’s Cyber Security team is looking for a specialized Application Security Engineer to embed alongside development teams and help secure the software BCI builds, from design through deployment. Based in Vancouver or Victoria, this role sits at the intersection of software engineering and security, requiring deep hands-on experience with application security practices including AI assisted development.

THE OPPORTUNITY

Reporting to the Senior Manager, Cyber Security Product & Innovation, the Security Engineer is responsible for ensuring all software solutions built by BCI conform to best practices for writing secure software. The Security Engineer will be instrumental in developing security requirements and designing and implementing security solutions.

The Security Engineer collaborates and communicates with business and technology teams in an Agile hybrid environment and enables the effective and efficient delivery of secure, quality products.

This role has a specialized focus on application security engineering, a discipline that goes beyond general security engineering to address how software is built, tested, and defended throughout its full lifecycle. Application security engineers bring specific expertise to securing development environments, pipelines, and Including AI enabled and low-code/no-code environments Candidates are expected to be actively tracking these developments and to have explored the security implications they introduce, whether through enterprise experience or hands-on self-directed learning.

WHAT YOU BRING

• Bachelor’s degree in Technology, Engineering, Computer Science, or a related field

• A minimum of 5 years of experience in progressively senior technical roles with responsibility focused on information security processes, products, and projects

• Very strong knowledge in engineering secure systems

• Experience with securing cloud environments (MS Azure)

• Must have excellent documentation, customer-service, listening, communication and problem-solving skills

• Must be able to implement programs, security technologies and solutions to measure and sustain the security posture of large, complex environments

• Experience with Agile methods (Scrum) and DevOps practices is an asset

• Professional certifications such as Global Information Assurance Certification (GIAC), Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Certified Information Security Manager (CISM) or equivalent experience is essential

TECHNICAL SKILLS REQUIREMENTS

Must have some combination of strong hands-on experience with at minimum 4 or 5 of the following skills or technologies:

• Identity and access management systems for hybrid environments

• Secure coding practices

• Systems engineering

• Ethical vulnerability research and threat modeling

• Windows, UNIX, and Linux operating systems security, virtualization technology security, container security and serverless computing security

• Privileged access management systems for hybrid environments

• EDR and/or other endpoint protection technologies

• Zero Trust system design

• Cloud Native Application Protection Platform (CNAPP) systems

• Secure application design principles

• Data Classification and DLP solutions

• Enterprise vulnerability management, including vulnerability assessment, remediation, and reporting

• Phishing and social engineering

WHAT YOU WILL DO

• Development of new and innovative ways to solve existing production security issues as well as evaluate new technologies and processes that enhance security capabilities

• Develops technical security requirements for new products, tools and services envisioned for implementation at BCI

• Help and guide projects during solution design phase

• Collaborates and coordinates with application, operations, and product teams to provide guidance on the development of secure product designs that meet security requirements

• Ability to communicate complex security issues and develop security user stories in language that non-technical stake holders can understand

• Ability to respond to information security issues at each stage of a project’s lifecycle

• Proactively identifies risks and issues and proposes solutions to remove barriers

• Undertakes special projects or assignments as required

• Ability to document designs as well as produce technical reports in support of security initiatives

• Consults on designs, implementations, and maintenance of DevSecOps pipelines that integrate security testing (SAST, DAST, SCA) into CI/CD workflows

• Works with DevSecOps to develop and maintain secure coding standards, guidelines, and training materials for development teams

• Conducts application security assessments, threat modeling sessions, and architecture reviews for new and existing applications

• Champions security culture by embedding into Agile development teams as a security subject matter expert

• Triages and prioritizes application security vulnerabilities, working with development teams on remediation strategies

• Develops and maintains security testing automation to enable continuous assurance of application security posture

• Monitors emerging application security threats, vulnerabilities, and attack techniques to proactively address risks

• Experience with application security testing tools including Static analysis/SAST, Dynamic analysis/DAST, IAST, and Software Composition Analysis (SCA)

• Knowledge of secure API design, authentication patterns (OAuth 2.0, OpenID Connect), and API gateway security

• Experience with Infrastructure as Code (IaC) security scanning (Terraform, ARM templates, CloudFormation)

• Proficiency in programming languages such as Python, JavaScript/TypeScript, Java, C#, or Go

• Knowledge of AI/ML application security considerations, including prompt injection prevention and model security

• Professional certifications such as GWAPT, GWEB, CSSLP, CEH, OSWE, or equivalent experience is an asset

• Leads and completes security risk reviews on software, SaaS, third party and written code

• Monitors emerging AI and ML security threats, vulnerabilities and attack techniques and proposes new solutions to emergent risks in these areas

• Performs other related duties as required

WHERE YOU WILL WORK

There is a strong preference for Victoria, BC; however, we will consider Vancouver, BC for the right candidate, with the expectation of occasional travel to Victoria. We are an in-person collaborative organization with the flexibility to work remotely one day a week.

SALARY RANGE

The annualized base salary range for this Victoria or Vancouver based role is CAD $125,000 to $150,000.

BCI offers a competitive total rewards package, including a performance-based incentive plan, comprehensive health & dental benefits, a defined benefit pension plan, and paid time off. We pay our people competitively in the markets in which we operate and with consideration for internal equity and job structure. The base salary will consider factors such as the individual's skill set, experience, and internal equity. We aim for actual pay to be around the market median for expected performance and the upper quartile for excellent performance. Actual salaries may vary based on experience and expertise.

Next Steps:

To apply online, please submit your resume promptly. Applications will be actively reviewed, and those selected for an interview will be contacted. We welcome all qualified candidates who are legally authorized to work in the country where this job is located. If you do not have authorization, or if your work permit has restrictions or is due to expire within 12 months, please inform our recruitment team if shortlisted.

At BCI, we value diversity and foster an inclusive culture where all employees can thrive. We are performance and client-focused, valuing integrity, and we want to know you if you share these values. We recognize that some skills can be learned on the job and encourage everyone to apply. If you require accommodations for the recruitment process, such as alternate formats of materials or accessible meeting rooms, please contact us at .

To learn more about working with BCI, including our comprehensive benefits packages, our commitment to equity, diversity and inclusion and the recruitment process visit our .

BCI does not accept unsolicited resumes or candidate submissions from third-party recruitment agencies, executive search firms, or staffing suppliers unless they have an existing contractual agreement with our organization. Our approved vendor relationships are established for particular recruitment requirements and do not extend to general job postings on our website or other platforms. Any candidate information or resumes submitted by suppliers not approved by BCI will be deemed unsolicited and will not be reviewed or considered. BCI will not be liable for any fees, commissions, or charges related to unsolicited candidate submissions or recruitment services.