Application Security Analyst - Remote

At Kinaxis, who we are is grounded in our common belief that people matter. Each one of us plays an important part in accomplishing our work, building our culture and making a global impact.

Every day, we’re empowered to work together to help our customers make fast, confident planning decisions. This is how we create a better planet – for each other, for our customers and for generations to come. Our cloud-based platform RapidResponse ensures that the products we need – everything from medicine and cars, to day-to-day items like toothpaste – make it to market and into our hands when we need them with minimal ecological footprint.

We make the world better, and you can too.

Job location: This is a remote position. You can work from home and be located anywhere in Canada.

About the team

The Application Security Analyst is responsible for identifying and remediating security bugs across Kinaxis’ web and desktop applications to promote a secure posture and ensure conformation with the information security standards and policies.

This role will report directly to the Senior Director, Global Information Security.  The Global Information Security team is responsible for all security related handling for Kinaxis Corporate and Kinaxis RapidResponse Software-as-a-Service

What you will do

• Identify information security risks at the application level, at each stage of development, and proactively work to ensure that risk are identified, assessed and mitigated across the business.
• Integrate static and/or dynamic code analysis tools into the SDLC
• Build a governance process for Software Developers to execute secure development principles and best practices (e.g. OWASP Top 10).
• Monitor and review network application traffic and database transactions on endpoints, datacentres & clouds. Correlate and identify unexpected behavior, intrusions, or areas of risk.
• Conduct vulnerability and penetration tests against defined systems.
• Identify and propose key application security priorities, initiatives, plans, practices and tools.
• Provide guidance (e.g., information security risk severity assessments / relative cost benefit analysis etc.) and provide recommendations regarding prioritization of investments and projects that mitigate risks, strengthen defenses and reduce vulnerabilities.
• Collaborate across the company to ensure information security risks in both ongoing and planned operations are properly considered and that all compliance matters are being adhered to as required.
• Monitor application security trends and evolving technologies and keep senior management informed about related application security issues and implications for the Company.
• Participate in the Security Incident Response Process
• Assist with disaster recovery and business continuity planning
• Perform technical risk assessments and reviews of new and existing applications and systems
• Assist with emergencies and incident response after hours should the need arise

What we are looking for

• Education background in Information Security, Computer Science, Information Management Systems, or equivalent evidence of solid understanding of common web application technologies and languages
• Technical skills relevant to Application Security such as secure coding standards, application security testing, Java programming, ethical hacking techniques, cloud security architecture, vulnerability and threat management
• Two years experience in Information Security Auditing.
• Real interest in application security assessment, either by breaking them down, or helping to build them up
• Basic understanding of data centre and public cloud environments.
• Familiar with vulnerability management and penetration testing tools:
  • Some of NMAP, Nessus, Burp, ZAP, Nexpose, BackTrack, Kali Linux, Metasploit, etc
• Threat modeling and attack vector analysis
• Crafting proof of concepts for exploitation
• Experience developing with Java, Python, HTML, or Javascript
• Familiarity with Information Security industry standards/best practices and relevant regulations (e.g. some of SSAE16, SOC 2, C5, PCI DSS, HIPAA, GLBA, FISMA, NIST, ISO27000, CobiT, ISF, OWASP, SANS, ITIL, ATT&CK)
• Analytical and detail oriented
• Strong written and oral communication skills

Desirable Qualifications

• CISSP, CCSP, other IT security certification
• A published CVE discovered by you.

What we have to offer

• Challenging Work - We love solving highly complex problems. And as the global leaders in our industry, we never stop innovating—our work is never “done. That’s because across our teams and in all roles, every employee is empowered to bring their best ideas forward and to jump in and solve the problems they’re passionate about.
• Great People - We take our work seriously, but we don’t take ourselves too seriously! It’s in our DNA to celebrate, laugh, and have fun. We are stronger, together, when we are open, honest, and above all, real. Every person is valued here and plays an important role in our shared success.
• Global Impact - As a global team spanning continents, boundaries, and cultures, every day we are inspired by the impact our work has on our colleagues, our customers, our communities, and the world at large.
• Diversity, Equity and Inclusion - Diversity, equity and inclusion are more than words to us. They are the guiding principles for building a culture where we celebrate each others’ differences, continuously strive for equality and recognize that inclusion makes us stronger as individuals, a company and a global citizen. 

For more information, visit the Kinaxis web site at www.kinaxis.com or the company’s blog at http://blog.kinaxis.com/.

Kinaxis strongly encourages diverse candidates to apply to our welcoming community. We strive to make our website and application process accessible to any and all users. If you would like to contact us regarding the accessibility of our website or need assistance completing the application process, please contact Human Resources at accommodations@kinaxis.com. This contact information is for accessibility requests only and cannot be used to inquire about the status of applications.