Senior Application Security Engineer - Ecosystem (Open to remote across ANZ)

Job Description

Join the team redefining how the world experiences design.

Hey, g'day, mabuhay, kia ora,你好, hallo, vítejte!

Thanks for stopping by. We know job hunting can be a little time consuming and you're probably keen to find out what's on offer, so we'll get straight to the point. 

Where and how you can work

Our flagship campus is in Sydney. We also have a campus in Melbourne and co-working spaces in Brisbane, Perth and Adelaide. But you have choice in where and how you work. That means if you want to do your thing in the office (if you're near one), at home or a bit of both, it's up to you. 

About Application Security Engineers

At Canva, we’re all constantly striving towards our Crazy Big Goals! As the features and services of our product suite evolve, we’re setting some large and adventurous goals. We need to balance shipping resilient and secure features whilst maintaining velocity.

As an Application Security Engineer in the Ecosystem Security Team, it is your mission to make delivering secure products and infrastructure the easiest path for software engineers to follow. You will also be responsible for shaping what security engineering looks like at Canva, and improving how we deliver secure platforms for our ecosystem community.

The Ecosystem Security team embraces an engineering-first, shift-left model focusing on the needs and wants of engineers; they are responsible for working with the Ecosystem teams, empowering them to navigate their security landscape and ship secure platforms. 

About the Security Group

The Security Group is responsible for protecting Canva systems and data from information security threats. Our teams work together, and with other groups, to deliver preventive and detective controls and processes that reduce security risk.

The group runs programs across Identity and Access Management, Application Security, Risk Management, and Threat Detection and Response domains.

What you’d be doing in this role

As Canva scales change continues to be part of our DNA. But we like to think that's all part of the fun. So this will give you the flavor of the type of things you'll be working on when you start, but this will likely evolve.

Role Responsibilities: 

• Identifying, introducing, and improving security controls throughout the cloud infrastructure at Canva.
• Advising engineering teams on system and application security best practices and design patterns.
• Threat modeling exercises for Canva products and infrastructure.
• Discovery and triage of vulnerabilities across Canva’s threat landscape.
• Assisting your team in interviewing and hiring other passionate security engineers.
• Mentoring and supporting the growth of your colleagues in your areas of expertise.
• Glassbox security reviews (source-code and dynamic assessments).

Required Experience:

• Solid understanding of identity and authorization standards like OAuth, OpenID Connect, and SAML.

• Proficient with one or more modern programming languages (Golang, Python or Java preferred).

• Has an in depth functional knowledge of web app vulnerabilities, particularly around iFrames, and cross window post messaging. Including hands-on exploitation skills and remediation strategies at scale.

• Experience managing projects from start to finish, while juggling demands from various stakeholders and supporting other Application Security Engineers.

• Hands on experience providing security guidance, building threat models and conducting risk assessments in collaboration with engineering and platform teams.

• Hands on experience with browser and mobile based applications, and building secure paved roads.

• Subject-matter expertise in one or more of cloud platform technology such as Amazon Web Services or Google Cloud Platform.

Beneficial Experience (not required, but helpful):

• Experience with JavaScript and Typescript development.
• Experience implementing security automated testing techniques such as SAST, DAST, fuzzing, etc.
• Familiarity with infrastructure as code (e.g Terraform).
• Guardrail tooling like cfn-nag, semgrep, CodeQL, tfsec, or similar.  

What's in it for you?

Achieving our crazy big goals motivates us to work hard - and we do - but you'll experience lots of moments of magic, connectivity and fun woven throughout life at Canva, too. We also offer a stack of benefits to set you up for every success in and outside of work.

Here's a taste of what's on offer:

• Equity packages - we want our success to be yours too
• Inclusive parental leave policy that supports all parents & carers
• An annual Vibe & Thrive allowance to support your wellbeing, social connection, office setup & more
• Flexible leave options that empower you to be a force for good, take time to recharge and supports you personally

Check out lifeatcanva.com for more info.

Other stuff to know

We make hiring decisions based on your experience, skills and passion, as well as how you can enhance Canva and our culture. When you apply, please tell us the pronouns you use and any reasonable adjustments you may need during the interview process.

We celebrate all types of skills and backgrounds at Canva so even if you don’t feel like your skills quite match what’s listed above - we still want to hear from you!

Please note that interviews are conducted virtually.