Position Details: Security Analyst

Description:

• *Application Security/SSDLC
• As an Application Security analyst with focus on application security, you
will assess projects for security risks and recommend mitigations that
enable informed business decisions.

You will support the development and
enforcement of security controls designed to safeguard Deloitte and our
architectures.

Your work will support secure design, implementation, and
continuous improvement of cloud-native, distributed, and AI-enabled systems.

• About the Team:
• Deloitte Canada Cybersecurity - Application Security and Engineering team
is a group of passionate professionals dedicated to building secure,
resilient, and scalable solutions.

We thrive on solving complex challenges
that safeguard applications across the enterprise.

With diverse backgrounds
and deep expertise in cybersecurity, secure software development, and risk
management, we bring a wealth of knowledge to every project.

As part of this team, you’ll collaborate with engineers and security
specialists to embed security into the software development lifecycle,
innovate on cutting-edge security practices, and strengthen the firm’s
defenses.

We are the trusted advisors at the intersection of security and
technology—placing you at the forefront of protecting critical systems and
enabling secure innovation.

• You will have the following responsibilities:
• - Conduct application SSDLC reviews, including network security, IAM
controls, and application security assessments in a hybrid multi-vendor
cloud environment.

• Evaluate application architectures for design flaws—e.g., network
segmentation gaps, IAM misconfigurations, overly permissive roles,
encryption control deficiencies—against organizational and industry
security standards.

• Identify vulnerabilities and weaknesses in the application
architecture through application security assessments, code reviews, threat
modeling, and vulnerability scanning and penetration testing.

• Collaborate with development teams to integrate automated security
scanning tools into the CI/CD pipeline.

• Perform Dynamic Application Security Testing (DAST), Static
Application Security Testing (SAST), and Software Composition Analysis
(SCA) – along with conducting Infrastructure as Code (IaC) reviews.

• Review security scan results and work closely with the development
team to prioritize security vulnerabilities identified using a risk-based
approach.

• Provide recommendations and guidance to stakeholders to continually
improve the security posture of application architectures.

• Work with stakeholders to develop and enhance policies, procedures,
and risk management strategies to safeguard clients and enhance overall
security.

• To succeed in this role, the ideal candidate should possess the following
qualifications and skills:

• - A Bachelor’s degree in Computer Science, Software Engineering, or
Information Security with industry experience of at least 3 years.

• Demonstrated experience in application security concepts such as
secure coding, system architecture design, development, industry
application security standards and best practices.

• Proficiency in identifying and remediating common web application
vulnerabilities, including OWASP Top 10.

• Understanding of security code issues for JEE/.NET/JS/JSP/ASP/Python
applications.

• Competency in understanding complex application environments -
comprising of applications developed on modern technologies such as

• containerization (Docker, Kubernetes etc.)
• serverless compute (Lambda functions, Azure functions etc.)
• IAC (Terraform, CloudFormation etc.)
• Automation and CI/CD technologies (Jenkins, Chef, Ansible, Puppet,
Azure DevOps etc.)

• Worked on securing AI/LLM systems end-to-end, covering RAG pipelines,
vector DBs, embeddings, model-serving, and access layers; mitigate prompt
injection, jailbreaks, unsafe outputs, data poisoning, model
inversion/extraction, and sensitive data leakage, while enforcing
guardrails, moderation, training-data governance, and CI/CD-integrated AI
testing.

• Understanding of hardening Agentic AI architectures, including
agent/tool frameworks, orchestration, and multi-agent workflows, ensuring
secure tool invocation, strict permissions, context isolation, misuse
prevention, and safe cloud deployment.

• Demonstrated experience in using application security testing tools to
perform static, dynamic code analysis, and penetration testing.

• Strong hands-on experience in assessing multi-vendor cloud
environments (AWS, Azure and GCP), awareness of service offerings of the
vendors; and security evaluation and hardening requirements of them.

• Experience in software development with solid knowledge of all phases
of SDLC is an asset.

R

• Ability to effectively articulate application security issues to broad
spectrum of audience - developers to project managers to senior leadership,
as well as develop strong relationships across various levels of an
organization.

• Strong analytical and problem-solving abilities.

• Strong desire to learn more and having a career vision of a security
architect.

• Certifications
• *Desired:
• Associate/Architect level certificate from a leading
cloud vendor (AWS, Azure or GCP) (or) Working towards OSCP+ Security
Engineer

• *Good-to-have/aspiring for:
• GWAPT or GCPN

Perform an action: