Staff Application Security Engineer (AppSec) - Open to remote across ANZ

Sydney, Australia

Applications have closed

Job Description

Join the team redefining how the world experiences design.

Hey, g'day, mabuhay, kia ora,你好, hallo, vítejte!

Thanks for stopping by. We know job hunting can be a little time consuming and you're probably keen to find out what's on offer, so we'll get straight to the point. 

Where and how you can work

Our flagship campus is in Sydney. We also have a campus in Melbourne and co-working spaces in Brisbane, Perth and Adelaide. But you have choice in where and how you work. That means if you want to do your thing in the office (if you're near one), at home or a bit of both, it's up to you. 

What you’d be doing in this role

As Canva scales change continues to be part of our DNA. But we like to think that's all part of the fun. So this will give you the flavor of the type of things you'll be working on when you start, but this will likely evolve.

About Security Engineers

At Canva, we’re all constantly striving towards our Crazy Big Goals! As the features and services of our product suite evolve, we’re setting some large and ambitious goals. We need to be able to ship robust and secure features without sacrificing speed and scale of delivery, which is where our Security Engineers come in.

The Security Partnerships Team is a specialized set of Subject Matter Experts contained within Canva’s larger Application Security Team, with whom we share responsibility of risk assessment and threat modeling of all customer facing applications and services. Security Partners are paired with Canva engineering teams that need dedicated Application and Infrastructure Security support to deliver high impact projects.

As an Application Security Engineer, you develop strong advisory and consulting relationships with Canva’s platform engineering teams, offering subject matter expertise, deep knowledge, and dedicated hands-on support to enable secure platform and infrastructure. You are responsible for shaping what security engineering looks like at Canva, and continuously improving how the Infrastructure Group delivers a secure Platform as a Service initiative to our Product Teams.

About the Security Group

The Security Group is responsible for protecting Canva systems and data from information security threats. Our teams work together, and with other groups, to deliver preventive and detective controls and processes that reduce security risk.

The group runs programs across Identity and Access Management, Application Security, Risk Management, and Threat Detection and Response domains.  

What you'll be doing: 

  • Identifying, introducing, and improving security controls in Canva’s compute, platform engineering, and cloud infrastructure disciplines.

  • Advising infrastructure engineers on cloud platform security best practices and design patterns.

  • Leading threat modeling exercises for new and complex architectures and features.

  • Designing and developing tools, libraries and services that support Canva engineers in building secure software.

  • Evaluating new and emerging security technologies that make it easier to reliably maintain platform and infrastructure security.

  • Discovery and triage of vulnerabilities across Canva’s threat landscape.

  • Assisting your team in interviewing and hiring other talented security engineers.

  • Mentoring and supporting the growth of your colleagues in your areas of expertise.

Required Experience:

  • Experience with Infrastructure-centric Secure Design Review and Assessment, including Risk Assessment and Threat Modeling process.

  • Previous experience working with engineering teams to audit and remediate issues within the DevOps ecosystem (e.g. Continuous Delivery, Continuous Integration, Infrastructure as Code, Orchestration Platforms).

  • Subject-matter expertise in securing cloud-based environments (AWS, Google Cloud) with a working knowledge of broad infrastructure functions - Observability, Site Reliability etc.

  • Proficient with one or more modern program languages (Golang, Python or Java preferred).

  • Experience leading projects end-to-end whilst balancing requirements from multiple partners, and mentoring Security Engineers.

  • Excellent written and verbal communication skills; with the ability to work with a range of Canvanauts from different backgrounds, with different expertise, and with different professional and personal needs.

Beneficial Experience (not required, but helpful):

  • Experience building and deploying security tooling in support of containerized workloads.

  • Proficiency in orchestration platforms like Terraform, Docker, Kubernetes, and CI/CD platforms such as Buildkite, Jenkins, and ArgoCD, or similar technologies.

  • Proven understanding of secrets management platforms and patterns in orchestrated environments.

What's in it for you?

Achieving our crazy big goals motivates us to work hard - and we do - but you'll experience lots of moments of magic, connectivity and fun woven throughout life at Canva, too. We also offer a stack of benefits to set you up for every success in and outside of work.

Here's a taste of what's on offer:

  • Equity packages - we want our success to be yours too
  • Inclusive parental leave policy that supports all parents & carers
  • An annual Vibe & Thrive allowance to support your wellbeing, social connection, office setup & more
  • Flexible leave options that empower you to be a force for good, take time to recharge and supports you personally

Check out for more info.

Other stuff to know

We make hiring decisions based on your experience, skills and passion, as well as how you can enhance Canva and our culture. When you apply, please tell us the pronouns you use and any reasonable adjustments you may need during the interview process.

Please note that interviews are conducted virtually. 

* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰

Tags: Application security AWS CI/CD Cloud DevOps Docker GCP Golang IAM Java Kubernetes Python Risk assessment Risk management Terraform Threat detection Vulnerabilities

Perks/benefits: Career development Equity Flex hours Flex vacation Home office stipend Parental leave

Regions: Remote/Anywhere Asia/Pacific
Country: Australia
Job stats:  25  3  0

Explore more InfoSec / Cybersecurity career opportunities

Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.