Application Security Analyst

Croesus provides innovative, high-performance, and secure wealth management solutions that include portfolio management systems, portfolio rebalancing tools, and application programming interfaces (APIs). These solutions empower wealth management professionals to improve their productivity, enhance their client relationships, make informed decisions, and maximize the management of their assets under management.

Croesus’s mission is to provide a superior experience to its clients, users, partners, and employees and to positively impact the community. With more than 200 employees in its Montréal, Toronto, and Geneva offices, Croesus has won several industry awards for being a high-quality solution provider and an outstanding employer.

As a member of the information security team, you serve as the strategic bridge between development and cybersecurity. Your role is to integrate security from the earliest stages of software design (“security by design”) and to turn technical constraints into drivers of excellence. As a hands-on expert, you support teams in effectively addressing vulnerabilities and fostering a culture of security. You also serve as the internal point of contact for the security of the artificial intelligence components integrated into our SaaS products.

Main Responsabilities:

Vulnerability Management and Triage

• Classify vulnerabilities based on actual risk by correlating severity scores with business impact.
• Support product managers in prioritizing fixes within development backlogs.
• Oversee remediation using key performance indicators and validate the robustness of fixes.

Secure Architecture and Development

• Conduct critical code reviews for C#, C++, Python, and web environments.
• Secure data processing chains.
• Get involved as early as the design phase through threat modeling. Extend this practice to AI components and agent-based architectures integrated into our products (RAG, autonomous agents, MCP integrations).

Security of AI Components in Products

• Assess the security of integrations between our products and third-party AI models.
• Apply the OWASP LLM Top 10 framework during code reviews and threat modeling exercises.
• Define, in collaboration with development and DevOps teams, the application controls governing the use of generative AI in products: secret management for third-party model APIs, input and output validation, server-side controls on prompts, and checkpoints in CI/CD pipelines.
• Evolve internal secure development standards for AI components.
• Assess risks specific to the agent-based architectures integrated into our products: indirect prompt injection (RAG), excessive agency, tool poisoning, and MCP integration security.

Leadership: Security Champions Program

• Lead the Champions Guild across various functional areas.
• Organize knowledge transfer through workshops, simulation exercises, and training sessions.
• Provide personalized technical mentoring to security champions.

Security Automation and Integration

• Maintain automated security checks in continuous integration and continuous deployment (CI/CD) pipelines.
• Evaluate, deploy, and refine static and dynamic analysis (SAST, DAST), software composition analysis (SCA), and secret detection tools, ensuring a good balance between coverage, false positive rates, and developer experience.

All internal meetings at Croesus are conducted in French, so a strong proficiency in French is mandatory.

• Overall experience: Minimum 5 years in information technology.
• Domain expertise: Minimum 2 years in software development and 3 years in application security.
• Education: Degree in computer science. A specialization or additional training in security is a major asset
• Development & Code
• Advanced proficiency: C#, C++, and Python (AI and data).
• Web Security: Proficiency with modern development frameworks (TS/JS) and defense against common attacks.
• Security Methodologies: Static and dynamic analysis, software composition analysis.
• Automation: Integration of automated security controls into deployment pipelines.
• Risk Analysis: Translation of technical vulnerabilities into understandable business risks

Why join Croesus ?

• À la carte vacations
• Annual salary + Corporate profit-sharing plan
• Hybrid work, 2 days a week in office (Laval &Montreal offices)
• Sports program
• Gym available at our Laval head office
• Telemedicine + group insurance (super useful for the family 😉 )
• Group RRSP
• Proximity to Montmorency & Mcgill metro
• Ongoing training and development plan
• Referral bonus
• Indoor and outdoor parking & electric car recharging
• Croesus boutique
• Beautifully renovated and spacious office
• Complimentary breakfast every morning
• 2X per month, Happy hours, prepared by our Croesus Life Partner

Are you interested in this challenge? Do you believe you have the qualities and expertise required for this position? Please complete your application today.

Although all applications are carefully analyzed, we will communicate only with those selected. Thank you for your interest in Croesus.