Loblaw Companies Limited
Technical lead, Application Security & Penetration Testing
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Loblaw Companies Limited
Loblaw Companies Limited is Canada's largest food and pharmacy retailer, established in 1919 in Toronto. The company operates over 2,400 corporate and franchised stores across the country, offering a wide range of products and services. Loblaw pioneered the self-serve grocery model and has evolved into a family business focused on food, health, beauty, and financial services. Loblaw's grocery retail includes well-known banners such as Loblaws, Real Canadian Superstore, No Frills, and T&T Supermarket. The company also operates pharmacies, providing health and wellness products through Shoppers Drug Mart and other outlets. In addition to groceries and pharmacy services, Loblaw offers private-label brands like President's Choice and Life Brand, as well as apparel and banking services through PC Financial. With a commitment to affordability and community service, Loblaw caters to millions of Canadians, targeting diverse customer segments and enhancing its digital platforms for online shopping and home delivery.
Security at Loblaw Companies Limited
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Loblaw's AppSec mission is to "Lead AppSec in building Secure pipelines."Their approach to developer enablement involves driving a "shift-left strategy — embedding security into every phase of the SDLC"and managing "tool integrations and findings triage in Azure DevOps, GitLab, and Jenkins CI/CD pipelines."The risk philosophy includes designing and deploying "intelligent automation for SAST, DAST, SCA, IaC, and secret scanning tools"and acting "as the Incident Commander for major cybersecurity events."Stated pain points or goals include acting "as a security evangelist for GenAI use in security,"managing "bug bounty programs (e.g., HackerOne, Bugcrowd, Synack),"and establishing "KPIs and dashboards for vulnerability trends and researcher engagement."No explicit AppSec mission statement beyond role-level responsibilities was found.”
Security Team
The AppSec team's organizational structure indicates reporting "to a director."Vivek Khindria was formerly the Senior Vice President Cyber Security, Network, and Technology Risk, as of. The current team size is not publicly available. As of, there are 2 active AppSec job postings: 'Technical lead, Application Security & Penetration Testing' and 'Senior Specialist, Application Security'. Common skill and tool patterns include owning and enhancing the application security program across SAST, DAST, SCA, and secrets scanning tools, managing tool integrations and findings triage in Azure DevOps, GitLab, and Jenkins CI/CD pipelines, utilizing tools like Veracode, Burp Suite, Netsparker, Trivy, SonarQube, GitGuardian, and managing bug bounty programs (e.g., HackerOne, Bugcrowd, Synack). No public org chart or verified current AppSec leader(s) were found.
Key Initiatives
No explicit Security Champions program description was found, though job postings mention developer training. Loblaw drives a "shift-left strategy — embedding security into every phase of the SDLC"and manages "tool integrations and findings triage in Azure DevOps, GitLab, and Jenkins CI/CD pipelines."Their vulnerability management process includes intake via "bug bounty programs (e.g., HackerOne, Bugcrowd, Synack),"triage and remediation by validating and triaging reports to prioritize high-impact vulnerabilities, and ticketing/ownership through managing tool integrations and findings triage in CI/CD pipelines. SLA/MTTR information is not publicly available. Secure SDLC artifacts involve designing and implementing "threat modeling, secure code review, and vulnerability remediation frameworks,"and performing and reviewing "penetration tests on web, mobile, and API applications aligned with OWASP Top 10 and OWASP API Top 10."Recent initiatives (last 6 months) include acting "as a security evangelist for GenAI use in security"and complying with "all company standards relating to Artificial Intelligence (AI), Machine Learning (ML), Large Language Model (LLM)."No public timeline for specific tool rollouts was found.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.