JOB SUMMARY:

The Application Security team has global accountability and is highly supportive of the Bank's
business, enabling execution of the Bank's strategies, operations and services, while ensuring
that appropriate application security practices are adhered to.
Reporting to the Senior Manager Application Security, the Application Security Analyst
responsible for supporting the Senior Manager, Director, Vice President (VP), Senior Vice
President (SVP) and Chief Information Security Officer (CISO) in achieving Information
Security & Control's (IS&C) Strategic goals through various processes, including:
Develop and/or enhance strategies and processes to manage web application security
vulnerabilities and threats for both transactional and marketing/informational web sites.
Develop and/or enhance communication model to manage web application vulnerability
remediation with the development and infrastructure support teams in support of risk
management practices on behalf of the business owner.
Develop and/or enhance reporting to development teams and all levels of management in order
to provide proper tracking and measurement of remediation relative to established objectives.
This function provides core competency in proactively detecting application code flaws and/or
bugs while working with the appropriate teams in instituting appropriate controls to mitigate
risks, specifically as it pertains to web application vulnerabilities and threats, the Application
Security Analyst will be expected to work closely with the application development groups to
integrate application security processes and procedures into the software development lifecycle.
KEY ACCOUNTABILITIES:
Recommend, design, assess, implement, deploy and maintain application security controls
required to protect Scotiabank and its customers.
Responsible for developing and/or enhancing the strategies and processes to identify, analyze,
and communicate application vulnerabilities as per the CISO Directive and published
communication process flows.
Responsible for adherence to an established process flow that ensures development support
teams, infrastructure support teams, and business risk owners implement control measures that
effectively mitigate or eliminate the identified risk.
Responsible for timely and accurate reporting of all findings to the development teams,
appropriate levels of management and the business risk owner.
Must remain current in the web application security space and to ensure web application
security principles are implemented and integrated into the Bank's web application security
assessment program.
FUNCTIONAL COMPETENCIES:
Minimum 4 years of application security related working experience required.
Must have a strong understanding of multi-tier Web Applications, web services, and related

vulnerabilities and potentials threats.

Must have a comprehensive understanding of the HTTP protocol, System Development
Lifecycle (SDLC) and Web Programming for multi-tier web applications and web services. An
understanding of JavaScript, Java, SQL, HTML, XML, ASP.NET, and VB.NET is essential.
Must have hands-on technical working experience performing source code and/or application
security assessments, including risk assessments, and penetration testing. The ability to
demonstrate exploitation of vulnerabilities would be an asset, as would experience with
vulnerability testing and scanning tools such as BURP Suite, HP WebInspect, AppScan,
SQLMap, ZAP, and Fortify.
Must have an understanding of gateway technologies and network devices such as Load
Balancers, Proxies, IPS & WAF.
Must be conversant in security industry best practices and principles.
Must have strong communication skills (verbal & written) in English. The same in Spanish is
an asset.
Must have the ability to generate reports and tailor his/her communication strategy for various
levels of technical staff, executive management, and business clients.

QUALIFICATIONS:
EDUCATIONAL REQUIREMENTS:
CISSP and/or CISA designation is an asset.
Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), Offensive
Security Web Expert (OSWE) is highly desired.
University degree or college diploma.

Scotiabank is an equal opportunity employer and welcomes applications from all interested
parties. We thank you for your interest, however, only those candidates selected for an interview
will be contacted. No agencies please.
View job