Application Security Engineer
Car shopping is complicated. At CarGurus, we use data and technology to make it simple, giving people the tools they need to confidently find, buy, finance, or sell a car. The best part? Our work makes a real impact. We’re the most-visited car-shopping site in the US and we are growing fast in our international markets. Ready to come along for the ride?
The Application Security Engineer will report into our Vice President of Information Security and act as a key contributor to continuously improve and build the application security of our product offerings. The ideal candidate will have experience working in a SaaS environment, collaborating, and advising the Product, Development, Infrastructure, and Privacy teams on the best methods for securing our product. This includes building a security first-in-mind approach for our products and enhancing our current Software Development Lifecycle (SDLC).
This Engineer should be comfortable performing technical application threat analysis, threat modeling, defense in depth strategies, security control gap analysis, and threat mitigation. They must have a pragmatic approach to risk management by striking a balance between the organization’s risk tolerance and the security of our customers, partners, and employees.
The candidate must have experience with penetration testing and be able to detect security flaws in code and provide guidance to engineers on how to remediate them. This includes responding to internal and external contributors of our hacker bug bounty program.
What You'll Do:
Program development
- Educate, provide guidance and recommendations to engineers on secure code practice practices.
- Apply service-oriented security architecture principles to ensure confidentiality, integrity, and availability (CIA) requirements are met.
Vulnerability Management
- Identify and validate threats to CarGurus applications.
- Analyze results of dynamic and static code analysis and scanning in the CI pipeline.
- Assist in third-party web application vulnerability testing engagements.
- Work to remediate security vulnerabilities in the product to meet a defined Service Level Agreements (SLAs).
Architecture
- Assist at integrating new security solutions into the product development lifecycle.
- Automate security configurations to support product user access controls.
Technical Qualifications:
- Bachelor’s Degree or equivalent combination of education and experience in Information Security or Computer Science.
- 2-4 years of experience as an application security practitioner with privacy by design experience.
- Prior experience as a penetration tester.
- Industry certifications such as SANS certifications (GWAPT) and others; CISSP (preferred, or CSSLP), OSCP (and related) are nice to have.
- Working knowledge of web/application-layer security and attack vectors. Conducting end-to-end application security assessments with application decomposition experience
- Familiarity with widely accepted vulnerability frameworks and guidance (CVSS, OWASP, NIST, etc.).
- Experience with RBAC models, SSO solutions, identity stores and directory services (SAML 2, OAuth 2, OIDC).
- Experience with authoring and maintaining application security policies, standards, and procedures.
- Familiarity with CIS and NIST security frameworks, and SOX compliance controls.
Non-technical Qualifications:
- Proactively tie technical security risks and to tactical organizational activities and goals.
- Operate with a pragmatic approach to risk while considering business needs.
- Clearly articulate issues and communicate in an effective and personable manner.
- Adjust quickly to the security needs of a highly agile organization, must be flexible and adaptable to change.
- Time management to effectively work across multiple projects.
- Establish relationships across multiple business units to inform and educate security industry norms
CarGurus Culture:
Research shows that while men apply to jobs when they meet an average of 60% of the criteria, women and other marginalized folks tend to only apply when they check every box. So if you think you have what it takes, but don't necessarily meet every single point on the job description, please still get in touch. We'd love to have a chat and see if you could be a great fit.
At CarGurus, we invest in our people’s professional growth with everything from learning and development programs to tuition reimbursement. Want to work on projects that expand your skill set without sacrificing your work/life balance? You got it. We also strive to provide perks and benefits that employees actually care about like free lunch, commuter subsidies, and more. That includes equity in the company—our way of showing that we want you here for the long haul.
We work hard every day to build the world’s most trusted and transparent automotive marketplace, but trust and transparency don’t just apply to our consumers. They extend to our talent, too. We aim to create a workplace where everyone feels they can bring the ultimate expression of themselves and their potential—where you don’t just fit, you thrive. We don’t discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation.
We recognize that flexibility plays a critical role in enabling our people to thrive in both their personal and professional lives. We currently welcome Gurus into our Cambridge, MA office on a voluntary basis but do not require employees to physically be in the office. We will adopt a hybrid working model when health experts and government officials in our local communities deem it safe to do so. Specific arrangements within this model will be up to team leaders’ discretion; we encourage you to discuss your questions and needs during the interview process.
All US CarGurus employees are required to provide proof of full vaccination against COVID-19, unless they have an approved medical or religious accommodation. This helps us to safeguard the health of our employees and their families, our customers and visitors, and the community at large.
#LI-Hybrid