Principal Application Security Engineer
Car shopping is complicated. At CarGurus, we use data and technology to make it simple, giving people the tools they need to confidently find, buy, finance, or sell a car. The best part? Our work makes a real impact. We’re the most-visited car-shopping site in the US and we are growing fast in our international markets. Ready to come along for the ride?
The Principal Application Security Engineer will report into our Vice President of Information Security and be responsible for continuously improving and maintaining the application security of our product offerings. The ideal candidate will have experience working in a SaaS environment, collaborating, and advising the Product, Development, Infrastructure, and Privacy teams on the best methods for securing our product.
This includes building a security first-in-mind approach for our products and enhancing our current Software Development Lifecycle (SDLC).
Educating product owners and engineers on secure development best practices is important to this role. The candidate must have solid presentation and delivery skills; a charismatic personality is a bonus.
The Engineer will have experience performing technical application threat analysis, threat modeling, defense in depth strategies, security control gap analysis, and threat mitigation. They must have a pragmatic approach to risk management by striking a balance between the organization’s risk tolerance and the security of our customers, partners and employees.
The candidate must be committed to the building an application security program that scales both technically and organizationally. Patience is key as you will be changing the oil while the car is running!
You will serve as the Lead Security Architect on new feature development and will be expected to participate on multiple Architecture Guilds.
What You'll Do:
Program development
· Design, architect, and implement application security and privacy by design standards and policies (secure SDLC) in accordance with industry frameworks.
· Educate, provide guidance and recommendations to engineers on secure code practice practices.
· Apply service-oriented security architecture principles to ensure confidentiality, integrity, and availability requirements are met.
Vulnerability Management
· Continue to mature the vulnerability management program.
· Build dynamic and static code analysis and scanning into the CI pipeline.
· Manage third-party web application vulnerability testing engagements.
· Manage and assist in remediating security vulnerabilities in the product to adhere to defined Service Level Agreements (SLAs).
Architecture
· Research and integrate new security solutions into the product development lifecycle.
· Establish automated security configurations to support product user access controls.
· Work with the infrastructure engineering and product teams to conduct and complete security architecture reviews and designs for the product requirements.
Leadership
· Act as lead member of incident response for application security.
· Serve on the Security Guild and cross collaborate with other Architecture Guilds to ensure security is at the forefront of people’s minds.
· Provide mentorship for junior team members.
Who You Are:
Technical Qualifications:
· Bachelor’s Degree or equivalent combination of education and experience in Information Security or Computer Science.
· 7-12 years of experience as an application security practitioner with 3-5 years of security architecture and privacy by design experience.
· Prior experience as a penetration tester.
· Industry certifications such as SANS certifications (GWAPT) and others; CISSP (preferred, or CSSLP), OSCP (and related) are nice to have.
· Working knowledge of web/application-layer security and attack vectors. Must be able to conduct end-to-end application security assessments with application decomposition experience with commercial dynamic and static code analysis tooling.
· Extensive experience building and managing a vulnerability management program.
· Familiarity with widely accepted vulnerability frameworks and guidance (CVSS, OWASP, NIST, etc.).
· Solid understanding of RBAC models, SSO solutions, identity stores and directory services (SAML 2, OAuth 2, OIDC).
· Proven track record of authoring and maintaining application security policies, standards, and procedures.
· Prior member of a Security Incident Response Team (SIRT) where you have investigated events, triaging potential incidents, and conducted forensics analysis in conjunction with a Security Operations team.
· Familiarity with CIS and NIST security frameworks, and SOX compliance controls.
Non-technical Qualifications:
· A “can-do”, positive attitude - team player.
· Proactively tie technical security risks and to tactical organizational activities and goals.
· Operate with a pragmatic approach to risk while considering business needs.
· Clearly articulate issues and communicate in an effective and personable manner.
· Adjust quickly to the security needs of a highly agile organization, must be flexible and adaptable to change.
· Manage all aspects of large-scale projects to bring about organizational change.
· Build relationships across multiple business units to inform and education security best practices.
CarGurus Culture:
Research shows that while men apply to jobs when they meet an average of 60% of the criteria, women and other marginalized folks tend to only apply when they check every box. So if you think you have what it takes, but don't necessarily meet every single point on the job description, please still get in touch. We'd love to have a chat and see if you could be a great fit.
At CarGurus, we invest in our people’s professional growth with everything from learning and development programs to tuition reimbursement. Want to work on projects that expand your skill set without sacrificing your work/life balance? You got it. We also strive to provide perks and benefits that employees actually care about like free lunch, commuter subsidies, and more. That includes equity in the company—our way of showing that we want you here for the long haul.
We work hard every day to build the world’s most trusted and transparent automotive marketplace, but trust and transparency don’t just apply to our consumers. They extend to our talent, too. We aim to create a workplace where everyone feels they can bring the ultimate expression of themselves and their potential—where you don’t just fit, you thrive. We don’t discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation.
CarGurus employees in the US can choose to work from home / remotely for the duration of 2021, or participate in a phased return to our beautiful office spaces. We expect most roles to be in-office at least 3 days a week beginning January 2022. In addition to the US, CarGurus operates sites in Canada and the UK. We have offices in Cambridge, MA; Detroit, MI; Dublin, Ireland; San Francisco, CA and London, UK. Check out our careers page to learn more.