We are Canada Life
Being a part of Canada Life means you have a voice. This is a place where your unique background, perspectives and talents are valued, and shape our future success.
You can be your best here. You’re part of a diverse and inclusive workplace where your career and well-being are championed. You’ll have the opportunity to excel in your way, finding new and better ways to deliver exceptional customer and advisor experiences.
Working closely with colleagues, together we deliver on our shared purpose to improve for the well-being of Canadians. It’s our driving force. Become part of a strong and successful company that’s trusted by millions of Canadians to do the right thing.
Be your best at Canada Life.
Technology redefines the way we work and deliver to meet business needs and elevate the customer experience. You’ll be part of an organization that is embracing modern technology, innovation and agile ways of working.
Our Canada Technology team is a strategic partner in our business – with an ambition to be a forward-thinking, agile technology organization delivering secure, resilient and leading solutions that support Canada Life and the well-being of millions of Canadians.
We are looking for a Senior Penetration Tester
Given the size and scope of our organization, we have the flexibility for this position to be located in the following head office locations:Toronto, London, Winnipeg.
Penetration testing is a critical security tool that exposes security weaknesses through simulated attacks on the Company’s Information Services environments, which includes applications and infrastructure. The results help identify weaknesses that provide a roadmap towards remediation and securing the Company’s Information Technology Assets.
The Sr. Penetration-Tester is a very hands-on representative of the information security team. This role is highly technical, and candidates must possess a solid understanding of information security. Candidates must constantly search for system and application weaknesses to exploit, but they are also expected to always maintain a level of professionalism. While some automated tools will be leveraged, the penetration-tester must realize this is not solely a point-and-click role but requires hands-on expertise with a variety of tools to simulate attacker tactics, techniques, and procedures.
When the Sr. Penetration Tester completes their tasks, they are not only identifying weaknesses in our assets, but they are also educating our Information Technology teams on better methods to protect our most sensitive data. This helps others on the team push for remediation and additional validation, as well as contribute to other collaborative approaches driven by the security team strategy to enhance skillsets for team members. This further allows our Information Technology teams to include these new practices in their future work.
The outcomes from this work also provide validation to our clients’ annual audit and security due diligence exercises, as this work directly affects the security of our client facing systems.
What you will do
Conduct Security Assessments:
Responsible for performing in depth penetration testing and reporting against Company business applications and operating environments, network infrastructure related to compliance and relevant industry standards. Activities include, but are not limited to the following:
- Conduct tactical assessments that require expertise in social engineering, application security (web and mobile), physical methods, lateral movement, threat analysis, internal and external network architecture and a wide array of commercial and bring-your-own (BYO) products.
- Perform vulnerability assessments and penetration testing, utilizing commercial and open-source tools.
- Conduct web application penetration testing in line with Open Web Application Security Project (OWASP).
- Exploit security flaws and vulnerabilities with attack simulations on multiple projects working against specific customer systems and networks in accordance with an agreed scope of work.
- Arrange and provide support to business units launching new technology applications and services to verify that new products/offerings are not at risk of compromise or information leakage.
- Effectively provide technical risk assessment of technologies in networks, applications, systems, wireless, and perform social engineering.
- Review and analyze security vulnerability data to identify applicability and false positives.
- Document and formally report testing initiatives, along with remediation recommendations and validation
- Regularly research and learn new tactics, techniques and procedures (TTPs) in public and closed forums, and work with teammates to assess risk and implement and validate controls as necessary.
- Research and develop testing tools, techniques, and process improvements.
Mentoring and Leadership:
- Work with teammates to consistently learn and share advanced skills and foster team excellence.
- Assist in the development new application penetration testers
- Researching and learning about information security trends, new testing techniques, and best practices.
- When necessary, assist in threat and incident response (IR) tabletop exercises as well as post-mortem drills with a focus on measurable improvements and benchmarking to show progress (or deficiencies requiring additional attention).
- Liaise with the security engineering team to improve tool usage and workflow, as well as with the advanced threats and assessment team to mature monitoring and response capabilities
- Perform other duties as assigned.
What you will bring
- 6-9 years experience
- OSCP, OSCE, GPEN, GWAPT, CSSLP, CISSP designations are an asset
- Familiarity with defensive and monitoring technologies such intrusion prevention/detection systems (IPS/IDS), security information and event management systems (SIEMs), firewalls, endpoint protection (EPP) and endpoint detection/response (EDR) tools, as well as user and entity behavior analytics (UEBA)
- Understanding of OWASP, the MITRE ATT&CK framework and the software development lifecycle (SDLC)
- Possess strong understanding of web application architecture and development principles.
- Knowledge to application security best practices such as secure coding, security testing techniques.
- Competent with testing frameworks and tools such as Burp Suite, Metasploit, Cobalt Strike, Kali Linux, Nessus, PowerShell Empire and AutoSploit.
Be your best at Canada Life- Apply today
We are one of Canada's top 100 employers!
Canada Life serves the financial security needs of more than 13 million people across Canada, with additional operations in Europe and the United States. As members of the Power Financial Corporation group of companies, we’re one of Canada’s leading insurers with interests in life insurance, health insurance, investment and retirement savings. We offer a broad portfolio of financial and benefit plan solutions for individuals, families, businesses and organizations.
We are committed to providing an inclusive, accessible environment, where all employees and customers feel valued, respected and supported. We are dedicated to building a workforce that reflects the diversity of the communities in which we live, and to creating an environment where every employee has the opportunity to reach their potential.
Canada Life would like to thank all applicants, however only those who qualify for an interview will be contacted