Principal Application Security Engineer
Who we are
At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.
What we do
The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!
Role overview
The Principal Application Security Engineer will report to our Sr. Manager of Information Security and be responsible for continuously improving and maintaining the application security of our product offerings. The ideal candidate will have experience working in a SaaS environment, collaborating, and advising the Product, Development, Infrastructure, and Privacy teams on the best methods for securing our product.
This includes building a security first-in-mind approach for our products and enhancing our current Software Development Lifecycle (SDLC).
Educating product owners and engineers on secure development best practices is important to this role. The candidate must have solid presentation and delivery skills; a charismatic personality is a bonus.
The Engineer will have experience performing technical application threat analysis, threat modeling, defense in depth strategies, security control gap analysis, and threat mitigation. They must have a pragmatic approach to risk management by striking a balance between the organization’s risk tolerance and the security of our customers, partners and employees.
The candidate must be committed to the building an application security program that scales both technically and organizationally. Patience is key as you will be changing the oil while the car is running!
You will serve as the Lead Security Architect on new feature development and will be expected to participate on multiple Architecture Guilds.
What you'll do
Program development
- Implement a secure Systems and Software Development Lifecycle with security gates and testing across SAST, DAST, and vulnerability scans with an emphasis on automating tools and process integration.
- Design, architect, and implement application security and privacy by design standards and policies in accordance with industry frameworks.
- Educate, provide guidance and recommendations to engineers on secure code practice practices.
- Define the DevSecOps strategy and partner with application teams for adoption and continuous security posture improvement.
- Apply service-oriented security architecture principles to ensure confidentiality, integrity, and availability requirements are met.
- Determine and define project scope, objectives, and deliverable for large-scale application security project.
- Identify metrics and Key Performance Indicators (KPIs) for application security program.
Vulnerability management
- Continue to mature the vulnerability management program.
- Build dynamic and static code analysis and scanning into the CI/CD pipeline.
- Manage third-party web application security testing engagements.
- Manage and assist in remediating security vulnerabilities in the product to adhere to defined Service Level Agreements (SLAs).
Architecture
- Research and integrate new security solutions into the product development lifecycle.
- Establish automated security configurations to support product user access controls.
- Work with the infrastructure engineering and product teams to conduct and complete security architecture reviews and designs for the product requirements.
Leadership
- Encourage innovation, the implementation of cutting-edge technologies, inclusion, outside-of-the-box thinking, teamwork, self-organization, and diversity.
- Act as lead member of incident response for application security.
- Serve on the Security Guild and cross collaborate with other Architecture Guilds to ensure security is at the forefront of people’s minds.
- Provide mentorship for junior team members.
What you'll bring
- Bachelor’s Degree or equivalent combination of education and experience in Information Security or Computer Science.
- 7-12 years of experience as an application security practitioner with 3-5 years of security architecture and privacy by design experience.
- Prior experience building and improving an application security program.
- Industry certifications such as SANS certifications (GWAPT) and others; CISSP (preferred, or CSSLP), OSCP (and related) are nice to have.
- Deep knowledge of web/application-layer security and attack vectors. Must be able to conduct end-to-end application security assessments with application decomposition experience with commercial dynamic and static code analysis tooling.
- Familiarity with widely accepted vulnerability frameworks and guidance (CVSS, OWASP, NIST, etc.).
- Solid understanding of RBAC models, SSO solutions, identity stores and directory services (SAML 2, OAuth 2, OIDC).
- Proven track record of authoring and maintaining application security policies, standards, and procedures.
- Familiarity with CIS and NIST security frameworks, and SOX compliance controls.
- A “can-do”, positive attitude - team player.
- Proactively tie technical security risks and to tactical organizational activities and goals.
- Operate with a pragmatic approach to risk while considering business needs.
- Clearly articulate issues and communicate in an effective and personable manner.
- Adjust quickly to the security needs of a highly agile organization, must be flexible and adaptable to change.
- Ability to manage all aspects of large-scale projects to bring about organizational change.
- Build relationships across multiple business units to inform and education security best practices.
#LI-Remote
The range displayed on each job posting reflects the minimum and maximum target for new hire salaries for the position across all US locations. Within the range, individual pay is determined by work location and additional factors, including job-related skills, experience, and relevant education or training.
Base pay is one part of the Total Package that is provided to compensate and recognize employees for their work, and in addition to benefits this role may be eligible for discretionary bonuses/incentives, and restricted stock units.
US base salary range
$150,000—$210,000 USD
Working at CarGurus
We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.
We welcome all
CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We want to know what only you can bring to CarGurus.
Additional information
US employees must provide proof of full vaccination against COVID-19 unless they have an approved medical or religious accommodation. #LI-Hybrid