Title:  Senior Lead, AppSec and CloudSec Operation

Requisition ID: 250646 

Join a purpose driven winning team, committed to results, in an inclusive and high-performing culture.

Scotiabank’s Application Security and Cloud Security Operations team has global accountability and is highly supportive of the Bank’s business, enabling execution of the Bank’s strategies, operations and services, while ensuring that appropriate application security practices are adhered to. This function provides core competency in proactively detecting application code flaws and/or bugs while working with the appropriate teams in instituting appropriate controls to mitigate risks, specifically as it pertains to web application vulnerabilities and threats. This candidate will be expected to work closely with the application development groups to integrate application security processes and procedures into the software development lifecycle.

The Role:

The incumbent is responsible for supporting the Senior Manager, Director, CIO and CISO in achieving enterprise security strategic goals through various processes, including:

• Develop and/or enhance strategies and processes to manage web application security vulnerabilities and threats for both transactional and marketing/informational web sites.
• Develop and/or enhance communication model to manage web application vulnerability remediation with the development and infrastructure support teams in support of risk management practices on behalf of the business owner.
• Develop and/or enhance reporting to development teams and all levels of management in order to provide proper tracking and measurement of remediation relative to established objectives

Is this role right for you? In this role, you will: 

• Collaborate with stakeholders across the Bank – you will work closely with development and engineering, DevOps, cloud, application security and other application owner teams across the organization to deliver Application Security capabilities for the Bank.
• Recommend, design, assess, implement, deploy and maintain AppSec controls required to protect Scotiabank and its customers.
• Be responsible for developing and/or enhancing the strategies and processes to identify, analyze, and communicate application vulnerabilities as per the CISO Directive and published communication process flows.
• Be esponsible for adherence to an established process flow that ensures development support teams, infrastructure support teams, and business risk owners implement control measures that effectively mitigate or eliminate the identified risk.
• Be responsible for timely and accurate reporting of all findings to the development teams, appropriate levels of management and the business risk owner
• Understand how the Bank’s risk appetite and risk culture should be considered in day-to-day activities and decisions.

Do you have the skills that will enable you to succeed in this role? We'd love to work with you if you have:

• 7+ years’ relevant working experience in IT (cloud security, application security, etc.).
• 5+ years’ experience with documenting process, procedure, and user guide.
• 5+ years’ experience practicing application security (SAST, DAST, SCA, MAST) throughout the Secure Software Development Lifecycle (SSDLC), with demonstrated experience in vulnerability assessment, security integration, automation of security processes, risk assessment and mitigation.
• 2+ years’ experience with popular CI/CD tools and processes like BitBucket/GitHub, Jfrog Artifactory, Jenkins, Azure DevOps, GitLab CI/CD, CircleCI.
• Excellent communication skills and good support skills for triaging and analysis of issues for all development teams.
• Proficient at collaborating with various stakeholders to achieve the objectives assigned.
• A strong understanding of multi-tier Web Applications, web services, and related vulnerabilities and potentials threats. Staying abreast of information provided by recognized organizations such as OWASP (Open Web Application Security Project) and CVE (Common Vulnerabilities and Exposures).
• A comprehensive understanding of web application architecture and development throughout the Secure Software Development Lifecycle (SSDLC).
• A comprehensive understanding of the HTTP protocol and Web Programing for multi-tier web applications and web services.
• Experience with more than one of the following languages: Java, Swift, Kotlin, React, Angular, JS, Ruby, Python, C# and Node JS.
• Experience performing source code reviews manually or using analysis tools is essential. Analysis tools such as: Fortify SCA, SonarQube, BlackDuck, Checkmarx, Snyk, Web Inspect etc
• Experience in an Agile development workshop and leveraging tools such as Confluence, JIRA, Bit Bucket, Gradle, Maven and Jenkins are essential.
• Knowledge of technologies and processes such as Agile Software Delivery, Continuous Integration and Continuous Delivery, DevOps, GitOps, Cloud Native Technologies including Docker Containers, Kubernetes, and Deployment Automation & Orchestration.
• The ability to generate reports and tailor their communication strategy for various levels of technical staff, executive management, and business clients.  Experience on reporting tools such as Cognos, JasperReport and Microsoft Power BI would be an asset.

Education Experiences: 

• CISSP and/or CISA designation are beneficial but not required.
• CEH, OSCP, OSWE designation are beneficial but not required.
• University degree or college diploma, and a minimum of five (5) years equivalent security industry-related experience required

What's in it for you?

• Diversity, Equity, Inclusion & Allyship - We strive to create an inclusive culture where every employee is empowered to reach their fullest potential, respected for who they are, and are embraced through bias-free practices and inclusive values across Scotiabank. We embrace diversity and provide opportunities for all employee to learn, grow & participate through our various Employee Resource Groups (ERGs) that span across diverse gender identities, ethnicity, race, age, ability & veterans.
• Accessibility and Workplace Accommodations - We value the unique skills and experiences each individual brings to the Bank and are committed to creating and maintaining an inclusive and accessible environment for everyone. Scotiabank continues to locate, remove and prevent barriers so that we can build a diverse and inclusive environment while meeting accessibility requirements.  
• Upskilling through online courses, cross-functional development opportunities, and tuition assistance.
• Competitive Rewards program including bonus, flexible vacation, personal, sick days and benefits will start on day one.
• Community Engagement - no matter where you choose to work from; we offer opportunities for community engagement & belonging with our various programs such as hackathons, contests, Humans of Digital and much more!

Location(s):  Canada : Ontario : Toronto 

Scotiabank is a leading bank in the Americas. Guided by our purpose: "for every future", we help our customers, their families and their communities achieve success through a broad range of advice, products and services, including personal and commercial banking, wealth management and private banking, corporate and investment banking, and capital markets.  

At Scotiabank, we value the unique skills and experiences each individual brings to the Bank, and are committed to creating and maintaining an inclusive and accessible environment for everyone. If you require accommodation (including, but not limited to, an accessible interview site, alternate format documents, ASL Interpreter, or Assistive Technology) during the recruitment and selection process, please let our  Recruitment team know. If you require technical assistance, please click here. Candidates must apply directly online to be considered for this role. We thank all applicants for their interest in a career at Scotiabank; however, only those candidates who are selected for an interview will be contacted.