Canopy is hiring a Senior Security Engineer to strengthen our security posture across application, cloud, and operational domains. In this role, you will assess our environment, identify gaps, build out the security roadmap, and own initiatives through to completion.
What You'll Do
- Evaluate Canopy’s security posture across application, cloud, and infrastructure layers, identifying gaps, prioritizing remediation, and owning roadmap items through to completion.
- Lead application security efforts including code review across Python and Java/Kotlin codebases, API security assessments, and providing secure development guidance.
- Integrate and manage SAST tooling within CI/CD pipelines, owning finding triage, rule tuning, and false positive management.
- Collaborate with DevOps on AWS cloud security posture, including Security Hub, GuardDuty, WAF rule management, AMI/golden image pipelines, and infrastructure-as-code security via Terraform.
- Mature and evolve Canopy’s incident response program, improving playbooks, processes, and readiness.
- Build security automation and tooling using Python, including API integrations, data enrichment workflows, and tool orchestration.
- Partner cross-functionally with engineering, DevOps, and IT to embed security into development and operational workflows.
What We're Looking For
- 6+ years of experience in information security, with a focus on application security, cloud security, or security engineering.
- Experience working at a SaaS company with production environments in AWS.
- Strong application security skills including code review in Python and/or Java/Kotlin, API security, and familiarity with common web application vulnerabilities.
- Hands-on experience with SAST tools and integrating them into CI/CD pipelines.
- Working knowledge of AWS security services and infrastructure-as-code tools like Terraform.
- Proficiency in Python for security automation, scripting, and API integrations.
- Incident response experience in a structured IR program, with the ability to mature processes and lead investigations.
- Ability to identify strategic security gaps, build a roadmap, and drive initiatives to completion with minimal oversight.
- Strong communication skills with the ability to translate security risks into business context for both technical and non-technical audiences.
Nice to Have
- Experience with server-side EDR platforms.
- Familiarity with container security and Kubernetes environments.
- Relevant certifications.
- Experience with WAF rule management and DDoS mitigation strategies.
Technical Stack
- Languages: Python, Java/Kotlin
- Cloud & Infrastructure: AWS, Security Hub, GuardDuty, WAF, Terraform, EC2 Image Builder, SSM
- Security Tools: Semgrep, Snyk Code, Checkmarx, GitHub Advanced Security
- CI/CD & Automation: GitHub Actions/GitLab
Team & Environment
You will report to the Director of DevOps, Security & IT.
Benefits & Compensation
- Flexible Paid Time Off plus 10 company holidays
- Health Benefits including Medical, Dental, and Vision and an HSA Match
- 401(k) match 100% up to 3% of your contribution
- Mental Health access to Impact Suite & to our Employee Assistance Program
- Paid New Parent Leave & Birthing Parent Leave
- Supplemental Benefits including 100% company paid Basic Life & AD&D insurance and long & short-term disability coverage
- Nectar peer-to-peer recognition program
- Company Events and ERG Committees
- Fully-stocked kitchen
Work Mode
This is a hybrid role based in South Jordan, UT.
Canopy is an equal opportunity employer and provides equal employment opportunities to all employees and applicants without regard to race, color, religion, gender, national origin, sexual orientation, gender identity or expression, age, disability, genetic information, marital status, or veteran status.
