Location: REMOTE / Montreal, Quebec
This job allows you to work remotely.
The company is a premier provider of specialized information management and collaboration solutions tailored for the Architecture, Engineering, Construction, and Owner (AECO) sectors. For over two decades, the organization has focused on solving the industry's most persistent challenge: the fragmentation of project data. By integrating disparate workflows into a unified environment, the company enables design and construction professionals to manage complex communication, documentation, and coordination tasks with total transparency. To date, their technology has been adopted by over 1,500 firms globally, supporting millions of users in the execution of more than 16 million projects worldwide.
Backed by a leading private equity firm, the organization delivers a mix of cloud-native and on-premises platforms designed to mitigate risk and boost operational efficiency. The software serves as a central nervous system for project delivery, having successfully indexed over one billion professional communications and managed millions of critical project actions like submittals and requests for information. In a landscape where nearly three-quarters of firms struggle with project delays due to siloed data, the company provides the essential connectivity required to ensure accountability, streamline handovers, and drive superior built-environment outcomes.
This role:
The Senior DevSecOps Engineer will join Platform Engineering team and play a pivotal role in establishing and evolving the security-first culture. As a strategic migration from Azure to AWS is in process, you'll be instrumental in building secure, automated infrastructure and embedding security practices throughout the software development lifecycle. This is an opportunity to shape the DevSecOps foundation for a platform trusted by hundreds of thousands of users managing sensitive project data across the construction industry.
Key Responsibilities:
Security Leadership & DevSecOps Culture
•Champion DevSecOps principles by establishing secure coding standards, threat modeling approaches, and mentorship programs for development teams.
•Partner with engineering leadership to define security KPIs, balancing robust security requirements with development velocity and business needs.
Cloud Security & Infrastructure
•Architect secure AWS environments following the Well-Architected Framework, managing IAM policies, GuardDuty, Security Hub, and WAF.
•Lead the security strategy for the Azure-to-AWS migration, implementing Infrastructure-as-Code (IaC) scanning and policy enforcement using tools like Checkov or tfsec.
CI/CD Automation & Pipeline Security
•Integrate automated security testing (SAST, DAST, SCA) and container vulnerability assessments into CI/CD pipelines at every stage of the SDLC.
•Design automated remediation workflows and compliance checks to ensure software supply chain security and secure artifact management.
Vulnerability Management & Compliance
•Oversee vulnerability scanning programs, penetration testing, and security audits to ensure compliance with AECO industry standards.
•Establish system hardening baselines and maintain incident response playbooks to proactively address emerging threats.
Monitoring & Incident Response
•Design comprehensive security logging and alerting solutions (SIEM, CloudTrail, CloudWatch) to enhance threat detection and response capabilities.
•Lead security investigations, root cause analysis, and the implementation of disaster recovery and business continuity plans.
Cross-Functional Collaboration
•Partner with Software Architects and Platform Engineers to embed security into all architectural decisions and Agile workflows.
•Coordinate with legal and compliance teams on audit preparations and evaluate third-party security vendors to enhance the company's tooling stack.
Must Have Skills:
• 7+ years of experience in DevOps, Security Engineering, or related roles with at least 3 years focused on DevSecOps practices
• Strong hands-on experience with AWS security services and best practices, including IAM, Security Hub, GuardDuty, Config, KMS, and CloudTrail
• Proven track record of implementing security automation and integrating security into CI/CD pipelines
• Deep understanding of infrastructure-as-code security (Pulumi, Terraform, AWS CDK, CloudFormation)
• Experience with container security, including Docker, Kubernetes/EKS security, and container image scanning
• Proficiency with security scanning tools such as SonarQube, Snyk, Aqua Security, Prisma Cloud, or similar
• Strong knowledge of application security principles, OWASP Top 10, and secure coding practices
• Experience with scripting and automation using Python, Bash, or PowerShell
• Understanding of network security, encryption, certificate management, and secrets management
• Familiarity with compliance frameworks (SOC 2, ISO 27001, GDPR) and security audit processes
• Excellent communication skills with ability to explain complex security concepts to diverse audiences
• Experience mentoring and influencing engineering teams on security best practices
• Bachelor's degree in Computer Science, Information Security, or related field
Nice to Have Skills:
• AWS Security certifications (AWS Certified Security - Specialty, AWS Solutions Architect, or similar)
• Additional security certifications such as CISSP, CEH, GIAC, or OSCP
• Experience migrating security controls and practices from Azure to AWS
• Hands-on experience with Azure security services (Azure Security Center, Defender, Sentinel)
• Knowledge of .NET/C# application security and secure development practices
• Experience with React or frontend security considerations
• Familiarity with Kubernetes security tools and practices (admission controllers, policy engines, runtime security)
• Experience with DevSecOps in SaaS/multi-tenant environments
• Knowledge of security considerations for document management and file storage systems
• Experience with API security, OAuth 2.0, SAML, and identity federation
• Familiarity with supply chain security and SBOM (Software Bill of Materials) practices
• Experience with security aspects of AI/ML systems and data protection
