Senior Product Security Engineer

We believe small businesses are at the heart of our communities, and championing them is worth fighting for. We empower small business owners to manage their finances fearlessly, by offering the simplest, all-in-one financial management solution they can't live without.

The Product Security Engineer is responsible for ensuring the security of our organization’s products throughout their lifecycle. This role focuses on protecting software, hardware, and firmware from vulnerabilities and cyber threats, aligning with business goals and compliance standards. This role also consults with security adjacent stakeholders and business units to provide suggestions, education, guidance and feedback from a security perspective.

• Risk Assessment and Mitigation: Perform threat modelling application design solutions and vulnerability assessments to identify relevant risks, security gaps or risks in product design and development. Maintain documentation of security controls and processes. Prepare reports on security risks and mitigation efforts for management and regulatory bodies. Audit source code and perform code review for critical application changes. 
• Secure Development Practices: Implement security tooling and automation to scale the Product Security team’s practices. Advocate for and integrate security best practices in the Software Development Lifecycle (SDLC). Conduct code reviews, penetration testing, and static/dynamic analysis. Ensure compliance with industry standards (e.g., AICPA SOC2, HIPAA, PCI DSS, SOX ISO 27001, NIST CSF). 
• Incident Response and Management: Monitor and address security incidents impacting Wave products. Implement and manage SOAR solutions to improve incident response times and efficiency.
• Security Architecture and Development: Working with product and engineering teams to design, program development, software development and implement security controls and protections within the product via automation. This task ensures the product is built with security in mind from the ground up. Integrate security tools and technologies into the CI/CD pipeline (e.g., static and dynamic application security testing (SAST/DAST), software composition analysis (SCA), and infrastructure-as-code (IaC) scanning).
• Planning, Collaboration and Training: Product roadmap planning with key stakeholders, collaboration with cross functional teams to develop mitigation strategies. Working closely and mentor Product, Engineering, and IT teams for security best practices. Provide security training and awareness for developers and stakeholders.
• Leadership and Communication: Effectively communicate security, privacy risks and best practices to both technical and non-technical audiences. Ability to guide and influence Wave engineering teams on security matters.

• 4-6 years of experience in a Product Security role.
• Bachelor’s degree in Computer Science, Cybersecurity, or a related field.
• Experience leading architectural changes or complex cross team efforts to mitigate security vulnerabilities.
• Strong understanding of: Threat modelling methodologies such as MITRE ATT&CK, STRIDE, and PASTA;
• Amazon AWS Services, MS Azure, and their capabilities;
• Securing web applications;
• Orchestration tools (ex. Anisible, Terraform);
• Automation scripting (e.g. Python, Django, etc.)
• Experience with frameworks such as OWASP Top 10, SAST/DAST tools, and CI/CD pipelines.
• Fluency in Python, React, and Django Rest Framework.
• Experience with manual source code review, and embedding security to code in production environments.
• Experience with deploying application security tools in the CI/CD pipeline.
• Experience with securing software development lifecycle including building programs. that eliminate full classes of vulnerabilities.
• Excellent communication and interpersonal skills.
• Ability to work independently and within a team.
• Strong organizational and time-management abilities.
• 
  
• Preferred Qualifications
• Certifications such as CISSP, CSSLP, CEH, or equivalent.
• Experience in IoT, embedded systems, or mobile app security.
• Knowledge of regulatory and compliance standards (e.g., AICPA SOC2, NIST CSF, GDPR, HIPAA)

At Wave, you’re treated like the incredible human being you are. 

Work From Where You Work Best: We will always have a welcoming, energizing, and world-class office (in Toronto) with a space for you. Or, if you’re more comfortable working from home, the choice is yours.

We Care About Future You: You will stretch yourself and you will grow at Wave. You will also be supported on this journey with diverse learning experiences, educational allowances, mentorship, and so much more.

We Support the Full You: We make a serious investment in your health & wellness. When we think about benefits we think about body, mind, & soul and we take this stuff very seriously. 

We Take Care of the Fundamentals: Fair compensation, all the office perks you’d want, and the various goodies you’d expect from a growing tech company. This is the obvious stuff, but we don’t want you to think we forgot!

We believe that a diverse and inclusive culture creates the best workplace. We embrace our differences, value individuality, and the broad spectrum of every Waver's skills and abilities. We challenge each other from a place of respect and pursuit of continuous growth. We trust each other and encourage everyone to bring their authentic selves to work, everyday. As Wavers, our voices matter, our opinions are met with an open mind. The best ideas win, no matter whose they are.  Contributing to an inclusive culture is a part of all of our job descriptions. 

We’ve been continuously recognized as one of Canada's Top Ten Most Admired Corporate Cultures and one of Canada’s Great Places to Work in categories including Technology, Millennials, Mental Health, Inclusion and Women.  

Are you ready to be a Waver? Join us!