Title: Application Security Analyst
Department: Information Technology
Location: 6300 Steeles Ave West, Woodbridge
Total Potential Compensation: $95,000-$115,000
Position Summary:
As anApplication Security Analyst, you willbe responsible forsupporting and operating core security capabilities across 407 ETR’s digital environment, with a primary focus on application security. This includes promoting secure-by-design practices throughout the SDLC and supporting the integration and operation of security tooling and automation, such as SAST, DAST, SCA, ASPM, and penetration testing services. You will work closely with Architecture, DevOps, QA, Product teams, and external partnerstoembed security controls into requirements, design, development, testing, and release activities, andtrackand manage security vulnerabilities through remediation.Thisrole also contributes to improving the overall cyber and technology risk posture, with measurable improvements reflected in the Technology and Cyber Risk Indices (TRI/SRI).
Hours of work are onsite, Monday to Friday, 7.5 hours daily, or asrequired. After-hours support and on-call duties may berequiredfor priority releases or security incidents.
Position Responsibilities:
AppSec Strategy & SDLC Integration
Embedsecurity requirementsandnon‑functional controls into epics, features, and user stories;maintainsecurity traceability throughout the lifecycle.
Leadthreat modelingat design time for new and changed services (web, mobile, APIs, microservices) and ensure mitigations are implemented prior to coding.
Define and operateSDLC security gates(pre‑commit, build, test, deployment) with policy‑driven thresholds (e.g., fail on Critical/High) and exceptions governance.
DevSecOpsTooling & Automation
Implement and tuneSAST, DAST, SCAandASPMintegrations within CI/CD, ensuring coverage, accuracy, and developer‑friendly feedback loops; coordinatePTaaScycles aligned to release schedules
Partner with DevOps to secure build pipelines, artifacts, and environments (e.g.,IaCscanning, container image hardening, secrets management, SBOM generation and validation)
Work with platform teams to evolve pipelines consistent with the 407 ETR DevOps framework andfuture‑stateCI/CD models
Findings Management & Risk Reporting
Operate aunified findings intake(ASPM as system of record) for automated tool outputs and manual assessments; triage, prioritize, and track remediation to closure
Apply arisk‑based SLAmodel (severity, exploitability, asset criticality) and escalate overdue items; publish weekly triage outcomes and monthly KPIs.
Report AppSec posture usingTRI/SRIaligned metrics (e.g., unresolvedcriticals, mean‑time‑to‑remediate, coverage, policy conformance)
Secure Engineering Enablement
Providesecure coding guidance, sample patterns, and remediation support for developers; deliver targeted training and office hours
Collaborate onarchitecture reviews, pen‑test scoping, and change risk assessments for web andmobile(using established change‑type workflow)
Contribute to AppSecpolicies/standardsand improve documentation (playbooks, runbooks, “definition of done” security criteria)
AdditionalTechnical Experience
Experience withData Loss Prevention (DLP) technologiesand controls, including policy configuration, monitoring, and incident investigation, isrequired
Experience withSingle Sign-On (SSO) integrationsand identity federation protocols is an asset.
Compliance & Vendor Management
Ensure controls align withPCI DSS Secure SDLC,ISO 27001/27002, andNISTDevSecOpsguidance (e.g., SP 800‑204D); support internal/external audits and evidence collection
Manage AppSec vendor relationships and deliverables per theApplication Security Managed Servicescope (ASPM,PTaaS, continuous monitoring)
Note:This job description is not intended to be all-inclusive. The employee may perform other related duties, as assigned, to meet the ongoing needs of the organization.
Qualifications
Minimum 5+ years of experience in IT Security, with strong hands-on experience in Security Operations.
College Diploma or University Degree in Computer Science, Engineering, or related field.
EDR platforms (e.g., endpoint containment, alert triage, investigation).
NDR technologies and network-based threat detection.
Security Incident Response and Investigation.
Strong understanding of attacker techniques and defensive controls (MITRE ATT&CK).
Experience working in regulated or audit-driven environments.
Strong understanding of authentication, authorization, MFA, RBAC, and privileged access concepts.
SSO Authentication: Experience implementing and supporting SSO solutions for secure user access across enterprise applications.
PreferredQualifications
Knowledge of standing up a mature Application Security framework
Experience with enterprise SOC tooling including SIEM, EDR, NDR, SOAR.
Experience operating security controls in hybrid (on‑prem and cloud) environments.
Familiarity with Security Risk Index (SRI), cyber risk metrics, or risk-based reporting.
Knowledge of network architecture and segmentation concepts.
We are actively seeking to fill this role as it is a current vacancy.
About 407 ETR
Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometres from Burlington in the west to Pickering in the east.
407 International Inc. is the sole shareholder of 407 ETR and is owned by:
Cintra Global S.E., a subsidiary of Ferrovial S.A. (48.29%)
Canada Pension Plan Investment Board (CPP Investments) and other institutional investors with non-controlling interests (44.20%)
Public Sector Pension Investment Board (PSP Investments) (7.51%)
Learn more at
Note: