Evaluate Canopy’s security posture across application, cloud, and infrastructure layers. Identify gaps, prioritize remediation, and own roadmap items through to completion.
Lead application security efforts including code review across Python and Java/Kotlin codebases, API security assessments, and secure development guidance for engineering teams.
Integrate and manage SAST tooling (Semgrep, Snyk Code, Checkmarx, or GitHub Advanced Security) within CI/CD pipelines (GitHub Actions/GitLab). Own finding triage, rule tuning, and false positive management.
Collaborate with DevOps on AWS cloud security posture, including Security Hub, GuardDuty, WAF rule management, AMI/golden image pipelines, and infrastructure-as-code security via Terraform.
Mature and evolve Canopy’s incident response program, improving playbooks, processes, and readiness.
Build security automation and tooling using Python, including API integrations, data enrichment workflows, and tool orchestration.
Partner cross-functionally with engineering, DevOps, and IT to embed security into development and operational workflows.

6+ years of experience in information security, with a focus on application security, cloud security, or security engineering.
Experience working at a SaaS company with production environments in AWS.
Strong application security skills including code review in Python and/or Java/Kotlin, API security, and familiarity with common web application vulnerabilities (OWASP Top 10).
Hands-on experience with SAST tools (Semgrep, Snyk, Checkmarx, or GitHub Advanced Security) and integrating them into CI/CD pipelines.
Working knowledge of AWS security services (Security Hub, GuardDuty, WAF, EC2 Image Builder, SSM) and infrastructure-as-code tools like Terraform.
Proficiency in Python for security automation, scripting, and API integrations.
Incident response experience in a structured IR program, with the ability to mature processes and lead investigations.
Ability to identify strategic security gaps, build a roadmap, and drive initiatives to completion with minimal oversight.
Strong communication skills with the ability to translate security risks into business context for both technical and non-technical audiences.

Experience with server-side EDR platforms (SentinelOne or CrowdStrike Falcon).
Familiarity with container security and Kubernetes environments.
Relevant certifications (CISSP, GCIH, AWS Security Specialty, OSCP, or similar).
Experience with WAF rule management and DDoS mitigation strategies.

Flexible Paid Time Off - you’re actually encouraged to use, plus 10 company holidays!
Health Benefits - including Medical, Dental, and Vision and an HSA Match.
401(k) - we match 100% up to 3% of your contribution. Eligibility is immediate with 100% vesting.
Mental Health - all employees have access to Impact Suite & to our Employee Assistance Program (EAP).
Paid New Parent Leave & Birthing Parent Leave - so you’re able to care for your little ones.
Supplemental Benefits - including 100% company paid Basic Life & AD&D insurance and long & short-term disability coverage.
Nectar - our peer-to-peer recognition program to help our employees recognize the amazing work being done by other Canopians!
Company Events - including monthly company-wide meetings, summer parties, and more.
ERG Committees - to plan initiatives around continuing education, community outreach, recruiting, onboarding, and more.
Fully-stocked kitchen - Keto? Vegan? Flexitarian? Mandalorian? We’ve got you covered.

Hybrid

Canopy is hiring a Senior Security Engineer

Similar Jobs