Senior Application Security Engineer

About Us

Spring Financial is a Canadian financial technology company focused on making every day financial services simpler, faster, and more accessible.

We build technology that helps Canadians build credit, save money, and access lending products without unnecessary friction. Our platforms allow customers to apply and manage their finances online, by text, or over the phone, making the experience convenient and flexible.

Since launching in 2014, Spring has grown into one of Canada’s largest fintechs, with over 250,000+ product originations across credit-building products, personal lending, and mortgage solutions.

We’re a fast-growing, product-driven team that values practical solutions, strong execution, and thoughtful collaboration. We give people ownership, trust them to make decisions, and focus on building systems that scale reliably.

If you’re interested in working on real-world fintech platforms used by hundreds of thousands of Canadians, Spring offers the opportunity to make a tangible impact through well-built technology.

NOTE: This is a full-time, permanent, hybrid position in downtown Vancouver, with 3 set days in the office and 2 WFH.

Job Overview

As a Senior Application Security Engineer at Spring Financial, you will lead technical efforts to secure the software systems that power our business. You are responsible for driving security best practices across our engineering organization — embedding secure development into how we design, build, and deploy software.

You’ll work closely with product engineering, DevOps, platform, and compliance teams to identify risks, implement controls, and help teams ship secure, reliable features. You bring hands-on expertise in secure coding, threat modeling, and modern appsec tooling, along with the communication skills to influence cross-functional teams.

This is primarily an individual contributor (IC) role, but may include leading a small team of engineers or acting as the technical owner for application security across the organization. You are expected to lead by example — through strong technical execution, collaborative problem-solving, and a practical, risk-aware approach to security.

You’ll play a critical role in scaling our secure development lifecycle, supporting audit and compliance needs (e.g. SOC 2), and ensuring Spring’s applications can evolve quickly without compromising trust.

What You’ll Do

• Own Spring’s application security strategy and roadmap — aligning initiatives with risk priorities, business needs, and platform evolution.
• Lead the definition and rollout of secure development practices (e.g., threat modeling, secure code review, dependency management, static/dynamic analysis).
• Partner with engineering teams to identify and remediate security risks across applications, services, APIs, and cloud environments.
• Define and manage Spring’s SDL (Secure Development Lifecycle), embedding security reviews, tooling, and guardrails into CI/CD workflows.
• Support Spring’s compliance posture, including SOC 2 readiness, audit participation, and evidence gathering for application-level controls.
• Own or contribute to incident response efforts for application-related vulnerabilities or exposures.
• Evaluate and implement security tools and services (e.g., SAST, DAST, SBOM, secrets scanning, WAF, CSPM) that improve detection and resilience.
• Collaborate with platform, DevOps, and IT teams on access control, secret management, and zero-trust enforcement.
• Mentor and grow the appsec team, supporting both technical depth and cross-functional influence.
• Support audit and compliance efforts by providing evidence, documentation, and system-level controls related to application security.
• Act as a subject matter expert for product and engineering teams on secure architecture, data protection, and third-party risk.
• Track and communicate security posture through clear metrics, risk registers, and executive-level reporting.
  
  

What You Should Already Have

• 5+ years of experience in application security, software engineering, or security engineering roles, including at least 2 years in a leadership capacity.
• Deep knowledge of web and cloud application security principles, OWASP Top 10, and secure coding best practices.
• Experience implementing SDL processes and integrating security into CI/CD pipelines and agile environments.
• Familiarity with threat modeling frameworks (e.g., STRIDE, PASTA) and secure architecture reviews.
• Familiarity with cloud-native architecture (e.g., AWS, microservices, containerization, API gateways).
• Hands-on experience with modern appsec tools (e.g., Snyk, GitHub Advanced Security, Burp Suite, Semgrep, Checkov, or similar).
• Understanding of common identity, access, and secrets management patterns (e.g., OAuth, JWT, Vault, AWS IAM).
• Strong communication and collaboration skills; able to influence without authority and align across engineering and business stakeholders.
• Experience supporting compliance initiatives such as SOC 2, PCI DSS, or ISO 27001 is a plus.
  
  

What We Will Give You

• Competitive annual salary ranging from $131,500 to $155,000, reflective of experience and impact.
• Comprehensive benefits package, including extended health, dental, and vision coverage — with 100% of monthly premiums covered by the Spring.
• GRSP matching program to support your long-term financial goals.
• Transit-Friendly Employer (Transit allowance).
• A modern, collaborative workspace in the heart of downtown Vancouver.
• Ongoing career growth opportunities.
• This position is hybrid and requires in-office presence; relocation assistance is available for the hired candidate (if out of province)
  
  

This is a truly exciting time to join Spring Financial and we are looking forward to doing great things together!

Please note: Upon applying, our Talent Acquisition team will review your resume. If you qualify, we will reach out to learn more about your experience and answer any questions you may have about the role, benefits, compensation, and more. Due to high application volume, we may not be able to respond to everyone.

Thank you for your interest! We appreciate your time and look forward to reviewing your application!