Our mission is to increase the success rate of small businesses. Traditional banking has been a growth limiter rather than a growth enabler for business owners, and were changing that. Relay is the all-in-one, collaborative money management platform. Were building for employer SMBs and their finance function, internal and external, and are focused on delivering a humancentric customer experience. Ultimately, we help SMBs be on the money'. Were looking for a Senior Application Security Engineer who thrives on autonomy, curiosity, and impact. Youll work across our stack (from TypeScript and Node.js, to Postgres and AWS cloud infrastructure) ensuring our applications are secure from design to deployment. Youll blend technical depth with systems thinking, working across teams to identify risks, build guardrails, and evolve our security practices as Relay scales. This isnt a ticket queue role. Join AppSec to make Relay the safest financial platform for SMBs. Youll eliminate vulnerabilities before they ship, tame supplychain risk, and raise the bar on identity, AI safety, and runtime assurance. As part of the platform team you will work closely with our Site Reliability Engineers to ensure that all of our production workloads are safe and secure. What Youll Be Doing Shiftleft guardrails. Build and maintain securebydefault libraries and CI checks (SAST/DAST/Secrets/SCA, threatmodel gates) so PRs pass AppSec checks and Critical issues are not merged to the codebase. You will partner with product teams to make sure application security controls are in place and secure product standards are met before products ship to customers. Identity & account protection. Engage stakeholders and business partners to harden authentication (e.g., passkeys/WebAuthn), stepup flows, and session controls; drive measurable reduction is security violations. Software supply chain. Enforce provenance: SBOM on every build, dependency pinning/owner verification, private registries/proxies, and runtime SCA detections. SDLC & IDE integration. Embed security into CI/CD (GitHub Actions, pipelines) across JS/TS/Python/More services; Maintain secure coding capabilities with IDE integration for all delivery teams. Cloud & infra security. Partner with SREs to enable infrastructure security and embed security features into core applications and workflows. AI security. Guide features through AI risk reviews; cover OWASP Top 10 for LLMs; add safeguards for prompt injection, data leakage, and excessive agency; govern AIgenerated code in CI. Threat intel & offensive testing. Track emerging attacks (esp. npm and fintech), run targeted blackbox tests, support red/purple team exercises, and publish actionable playbooks. VDP & bug bounty. Triage researcher reports, reproduce/assess impact, coordinate fixes with owners, and close the loop with clear comms and durable controls. Tooling: You have experience working with security tooling and monitoring / alerting systems. Evangelize security. Mentor team members on secure patterns; write concise guidance and runbooks that accelerate delivery rather than slow it down. Who You Are Experience: You have 5+ years of experience in Application Security, Product Security, Penetration Testing, or similar roles. Software Development: you are an expert in JavaScript, TypeScript, and Python, you can review PRs, contribute code, and create secure libraries in these languages. Security fundamentals: Deep understanding of OWASP Top 10 and realworld exploitation/mitigation techniques. Enablement focused: you strive to accelerate development teams and value guardrails over gates. Clear communicator & collaborator: you are a collaborator who loves to partner with developers to bring value to customers in the most secure way possible. Ownership: You have a sense of responsibility towards problems and take ownership over them making sure nothing is forgotten and stakeholders stay informed. Mentorship: You are comfortable mentoring team members and members of other teams on security best practices. Bonus Points Implemented passkeys/WebAuthn or phishingresistant MFA at scale. Experience with Socket.dev, Semgrep, Datadog AppSec, GitHub Advanced Security, ZAP/IAST, Burp Suite. Built private npm proxies, artifact repos, and SLSAaligned pipelines. Led or contributed to red/purple team exercises and game days. Fintech/regulatory experience; Experience working in compliant environments such as SoC2. Securing AI workflows and products. Youve joined a company at its early stages and have seen it through scale. Show us your home lab! Our Commitment to You Competitive salary and meaningful equity: Relay employees are Relay owners, complete with equity and a competitive salary. Comprehensive health benefits: enjoy full health benefits from day one. We offer flexible Health or Wellness Spending Accounts and medical, dental, and vision coverage for you and your dependents. Flexible vacation and time off: every team member starts with 15 vacation days and 5 flex days to use as needed, plus an extra week of office closure during the endofyear holidays so you can take time off to recharge and come back better for our customers. Parental leave with topup: we offer 12 weeks off with a 100% salary topup for all fulltime employees, regardless of location, and accessible for all parents: birthing, nonbirthing, and adoptive. Hybrid work environment: we value meaningful collaboration and connection at our Toronto office twice a week, with lunch, snacks, and beverages on us. Dogfriendly space: can dogs really make you happy and healthy? We dont know for sure, but since we dont want to chance it, our office is 100% flooffriendly. Personal and professional growth: through ongoing feedback, mentorship, and coaching, work with peers and leaders who are invested in your growth and success. Toptier equipment: as a Macfirst company, our Toronto offices have everything you need to produce your best work comfortably, from multiple screens to ergonomic seating. Social connection: we believe in celebrating our wins with two annual companywide gettogethers, quarterly team events, happy hours, and special events and networking opportunities with industry leaders. The Interview Process Stage 1: A 45minute Google Meets video call with a member of our Talent team Stage 2: A 60minute Google Meets video call with the hiring manager going through some technical questions. Stage 3: A 60minute secure code review exercise with the hiring manager, and another senior member of our AppSec team Stage 4: A 45minute inperson interview with a member of our leadership team Stage 5: A takehome assignment forming the basis for a 60minute Google Meets video call with two members of our AppSec team to review the assessment Why Relay Might Be the Perfect Fit For You You push relentlessly for reinvention: Youre built to constantly ask, How can this be better? Change excites you and you drive it. You crave autonomy: We trust our team with big challenges and the freedom to solve them. If youre someone who takes initiative, is comfortable taking risks, and seeks input when needed, youll find the freedom here empowering. You own your work: You take pride in your work, follow through on commitments, and feel a deep sense of responsibility for outcomes, not just tasks. You treat comfort as a red flag: You seek growth. When things feel too comfortable, you lean into change. Youre excited about stepping into the unknown and navigating new terrain to create something better alongside your team. You care about impact, not noise: You care deeply about the substance of your work. You measure success by results, not recognition and you let your work speak for itself. Youre energized by complexity and ambiguity: You enjoy tackling problems that dont come with a playbook. Youre comfortable building from scratch, iterating as you go, and collaborating to shape the best path forward. You seek out feedback: We value directness, clarity, and respect. We believe honesty fuels great work and career growth. You see feedback as a tool for learning and improvement, and you know that open, honest dialogue is key to achieving the best results together. Youre here for more than a job: At Relay, everything we do is in service of our mission to help small businesses thrive. To drive impact and have purpose here, that mission must matter to you too. Our Promise Were driving real change for small business owners, powered by truly remarkable people. At Relay, youll find the confidence to take chances, trust to take initiative, and the support you need to build a career you love. Here, we make sure every team member feels empowered to make big decisions, encourage to ask tough questions, and challenged to take risks that result in work were all proud of. We give you the batonyou run the Relay. Whats Important To Us Research shows that womenidentifying and other marginalized individuals often apply only if they meet 100% of the qualifications. But no one is a perfect match on paper. If this role excites you, wed love to hear from you and figure out together if its a great fit. At Relay, we believe that diversity is key to building highperforming teams, and creating an inclusive work environment is our priority. We are an equal opportunity employer and welcome people of diverse backgrounds, perspectives, and skills. We will work with applicants to provide accommodations at any stage of the hiring process. If you require accommodations during the interview process, please email your Talent Partner, and we will work with you to meet your needs. Referrals increase your chances of interviewing at Relay by 2x Get notified about new Senior Application Security Engineer jobs in Toronto, Ontario, Canada . Seniority level: MidSenior level Employment type: Fulltime Job function: Information Technology Industry: Banking #J-18808-Ljbffr
Job Title
Senior Application Security Engineer