Senior Ecosystem Security Engineer - Application Security (Open to remote across ANZ)
Sydney, Australia
Job Description
Join the team redefining how the world experiences design.
Hey, g'day, mabuhay, kia ora,你好, hallo, vítejte!
Thanks for stopping by. We know job hunting can be a little time consuming and you're probably keen to find out what's on offer, so we'll get straight to the point.
Where and how you can work
Our flagship campus is in Sydney. We also have a campus in Melbourne and co-working spaces in Brisbane, Perth and Adelaide. But you have choice in where and how you work. That means if you want to do your thing in the office (if you're near one), at home or a bit of both, it's up to you.
What you’d be doing in this role
As Canva scales change continues to be part of our DNA. But we like to think that's all part of the fun. So this will give you the flavor of the type of things you'll be working on when you start, but this will likely evolve.
About Application Security Engineers
At Canva, we’re all constantly striving towards our Crazy Big Goals! As the features and services of our product suite evolve, we’re setting some large and adventurous goals. We need to balance shipping resilient and secure features whilst maintaining velocity.
The Ecosystem Security team embraces an engineering-first, shift-left model focusing on the needs and wants of engineers; they are responsible for working with the Ecosystem teams, empowering them to navigate their security landscape and ship secure platforms.
As an Application Security Engineer in the Ecosystem Security Team, it is your mission to make delivering secure products and infrastructure the easiest path for software engineers to follow. You will also be responsible for shaping what security engineering looks like at Canva, and improving how we deliver secure platforms for our ecosystem community.
About the Security Group
The Security Group is responsible for protecting Canva systems and data from information security threats. Our teams work together, and with other groups, to deliver preventive and detective controls and processes that reduce security risk.
The group runs programs across Identity and Access Management, Application Security, Risk Management, and Threat Detection and Response domains.
What you'll be doing:
- Identifying, introducing, and improving security controls throughout the cloud infrastructure at Canva.
- Advising engineering teams on system and application security best practices and design patterns.
- Threat modeling exercises for Canva products and infrastructure.
- Discovery and triage of vulnerabilities across Canva’s threat landscape.
- Assisting your team in interviewing and hiring other passionate security engineers.
- Mentoring and supporting the growth of your colleagues in your areas of expertise.
- Glassbox security reviews (source-code and dynamic assessments).
Required Experience:
Solid understanding of identity and authorization standards like OAuth, OpenID Connect, and SAML.
Has an in depth functional knowledge of web app vulnerabilities, particularly around iFrames, and cross window post messaging. Including hands-on exploitation skills and remediation strategies at scale.
Experience managing projects from start to finish, while juggling demands from various stakeholders and supporting other Application Security Engineers.
Hands on experience providing security guidance, building threat models and conducting risk assessments in collaboration with engineering and platform teams.
Hands on experience with browser and mobile based applications, and building secure paved roads.
Subject-matter expertise in one or more of cloud platform technology such as Amazon Web Services or Google Cloud Platform.
Proficient with one or more modern program languages
Beneficial Experience (not required, but helpful):
- Experience with JavaScript and Typescript development.
Experience implementing security automated testing techniques such as SAST, DAST, fuzzing, etc.
Familiarity with infrastructure as code (e.g Terraform).
Guardrail tooling like cfn-nag, semgrep, CodeQL, tfsec, or similar.
What's in it for you?
Achieving our crazy big goals motivates us to work hard - and we do - but you'll experience lots of moments of magic, connectivity and fun woven throughout life at Canva, too. We also offer a stack of benefits to set you up for every success in and outside of work.
Here's a taste of what's on offer:
- Equity packages - we want our success to be yours too
- Inclusive parental leave policy that supports all parents & carers
- An annual Vibe & Thrive allowance to support your wellbeing, social connection, office setup & more
- Flexible leave options that empower you to be a force for good, take time to recharge and supports you personally
Check out lifeatcanva.com for more info.
Other stuff to know
We make hiring decisions based on your experience, skills and passion, as well as how you can enhance Canva and our culture. When you apply, please tell us the pronouns you use and any reasonable adjustments you may need during the interview process.
We celebrate all types of skills and backgrounds at Canva so even if you don’t feel like your skills quite match what’s listed above - we still want to hear from you!
Please note that interviews are conducted virtually.
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: Application security Cloud CodeQL DAST GCP IAM JavaScript OpenID Risk assessment Risk management SAML SAST Terraform Threat detection TypeScript Vulnerabilities
Perks/benefits: Flex hours Home office stipend Parental leave
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Product Security Engineer jobs
- Open Senior Cybersecurity Engineer jobs
- Open Senior Cyber Security Engineer jobs
- Open Information Security Officer jobs
- Open Information Security Specialist jobs
- Open Principal Security Engineer jobs
- Open Senior Penetration Tester jobs
- Open Cloud Security Architect jobs
- Open Chief Information Security Officer jobs
- Open IT Security Engineer jobs
- Open Staff Security Engineer jobs
- Open Cyber Security Specialist jobs
- Open Senior Network Security Engineer jobs
- Open Senior Product Security Engineer jobs
- Open Security Specialist jobs
- Open Cyber Security Architect jobs
- Open Security Operations Analyst jobs
- Open Cybersecurity Consultant jobs
- Open Information System Security Officer jobs
- Open Security Consultant jobs
- Open Information Systems Security Officer jobs
- Open Senior Information Security Analyst jobs
- Open Information Security Architect jobs
- Open Ethical hacker / Pentester H/F jobs
- Open Senior Security Architect jobs
- Open CISA-related jobs
- Open Agile-related jobs
- Open Risk assessment-related jobs
- Open Analytics-related jobs
- Open SOC-related jobs
- Open Network security-related jobs
- Open GCP-related jobs
- Open ISO 27001-related jobs
- Open IAM-related jobs
- Open Application security-related jobs
- Open DoD-related jobs
- Open DevOps-related jobs
- Open Pentesting-related jobs
- Open Threat intelligence-related jobs
- Open APIs-related jobs
- Open Java-related jobs
- Open Vulnerability management-related jobs
- Open Security Clearance-related jobs
- Open CEH-related jobs
- Open Kubernetes-related jobs
- Open SaaS-related jobs
- Open Malware-related jobs
- Open Security assessment-related jobs
- Open PowerShell-related jobs
- Open SQL-related jobs