Staff Developer / Development Manager, Application Security
Calgary, AB, Canada
Full Time
Experienced
Staff Developer / Development Manager, Application Security
Reports To: Director of Development, Architecture
Location: Calgary or Remote
About the Job:
When this company started, it was just a few of us furiously working to find product-market fit, and as with many startups, technical debt accumulated. Ten years later, we've found that market fit. We're revenue positive, our customers love us, and with that growth has come new responsibility.
PCI Level 1 became a requirement to do business, and we've achieved SOC 2 compliance — certifications we must maintain, along with our reputation and our commitment to our customers. While we have achieved a higher profile, an explosion of new penetration tools and techniques have emerged; we can no longer fly under the radar.
While we work hard to improve our security, those efforts must be balanced against business and customer needs. We need people who can identify security concerns, prioritize them, and build solutions — all while understanding the ripple effects those changes will have across the business. While establishing a solid security posture, we want to proactively find and remediate issues before they are discovered for us and create a security-first SDLC within the company.
Our Tech Stack:
Security at atVenu spans the codebase, the compliance program, and the team culture. You'll be part of all of it.
Reports To: Director of Development, Architecture
Location: Calgary or Remote
About the Job:
When this company started, it was just a few of us furiously working to find product-market fit, and as with many startups, technical debt accumulated. Ten years later, we've found that market fit. We're revenue positive, our customers love us, and with that growth has come new responsibility.
PCI Level 1 became a requirement to do business, and we've achieved SOC 2 compliance — certifications we must maintain, along with our reputation and our commitment to our customers. While we have achieved a higher profile, an explosion of new penetration tools and techniques have emerged; we can no longer fly under the radar.
While we work hard to improve our security, those efforts must be balanced against business and customer needs. We need people who can identify security concerns, prioritize them, and build solutions — all while understanding the ripple effects those changes will have across the business. While establishing a solid security posture, we want to proactively find and remediate issues before they are discovered for us and create a security-first SDLC within the company.
Our Tech Stack:
- Front End: React Native, React, JavaScript
- Backend: Ruby on Rails, GraphQL, PostgreSQL, Redis, CouchDB
- Cloud Platform: AWS
- Tools: GitHub, Sidekiq, Docker
Security at atVenu spans the codebase, the compliance program, and the team culture. You'll be part of all of it.
- Security program leadership: Define the roadmap, own the risk register, and make the case to engineering and executive leadership for what gets resourced and when. You know when to accept calculated risk and when to hold the line — your decisions are pragmatic and reflect thought towards the needs of our business, our customers and compliance.
- Team management: Hire, develop, and retain application security developers. Set technical direction, run code and architecture reviews, unblock your team, and build a security culture that scales across a fast-moving engineering organization without becoming a bottleneck.
- PCI, GDPR, and SOC2 ownership: Maintain and reduce cardholder data environment scope across our Rails API, GraphQL layer, PostgreSQL, and mobile POS app. Own the SOC2 security controls roadmap and drive it to completion.
- Offline payment security: Our React Native POS runs without connectivity during events and syncs payment data on reconnect. You'll direct the audit and hardening of encryption, key management, and CouchDB sync pipeline — a non-trivial challenge when card data lives on-device before it reaches our Rails API.
- Release security reviews: Ensure GraphQL API changes are reviewed for injection risks, IDOR vulnerabilities, and over-exposed tenant data before they reach 500+ venues. Own the SAST/DAST integration in our GitHub CI pipeline and set the bar for what ships.
- Vulnerability and CVE triage: Lead risk-ranked remediation across our Rails/Redis/PostgreSQL/CouchDB stack. Live events don't pause for maintenance windows — your team needs a clear, fast process for deciding what gets patched and when.
- Threat modelling and architecture review: Embed threat modelling into product development for new features — mobile ordering flows, vendor integrations, new hardware platforms. Your team challenges assumptions before code ships.
- Incident response: Be one of the application-layer authorities when something goes wrong at an event. Lead forensics, remediation, and post-mortems in collaboration with Engineering and Compliance.
- 8+ years of development experience with at least 3 years in security-focused roles or responsibilities, plus demonstrated people management experience.
- Experience building or maturing a security program — roadmap ownership, risk prioritization, and cross-functional alignment with Engineering, Compliance, and Product.
- Strong Ruby on Rails and React/React Native skills — you write and review production code, not just run scanners, and you've earned the kind of technical credibility that makes engineers actually listen when you make a point. Devs want to learn from you!
- Proven ability to communicate security risk to both technical and non-technical audiences and get organizational buy-in without resorting to fear or alarmism.
- Hands-on AWS security experience: IAM, VPC, secrets management, CloudTrail/GuardDuty.
- Deep knowledge of OWASP Top 10 (web and mobile), API security patterns, and common authentication/authorization flaws.
- Experience and interest with AI tooling; you know when to use it and when to go old school.
- Experience in the payment, retail and e-commerce space.
- Experience with PCI, GDPR and/or SOC2 compliance in a production SaaS environment; deep knowledge of compliance and privacy management across North America and Europe.
Apply for this position
Required*