Car shopping is complicated. At CarGurus, we use data & technology to make it simple, giving people the tools they need to confidently find, buy, finance, or sell a car. The best part? Our work makes a real impact. Were the most-visited car-shopping site in the US & we are growing fast in our international markets. Ready to come along for the ride?
The Application Security Engineer will report into our Vice President of Information Security & act as a key contributor to continuously improve & build the application security of our product offerings. The ideal candidate will have experience working in a SaaS environment, collaborating, & advising the Product, Development, Infrastructure, & Privacy teams on the best methods for securing our product. This includes building a security first-in-mind approach for our products & enhancing our current Software Development Lifecycle (SDLC).
This Engineer should be comfortable performing technical application threat analysis, threat modeling, defense in depth strategies, security control gap analysis, & threat mitigation. They must have a pragmatic approach to risk management by striking a balance between the organizations risk tolerance & the security of our customers, partners, & employees.
The candidate must have experience with penetration testing & be able to detect security flaws in code & provide guidance to engineers on how to remediate them. This includes responding to internal & external contributors of our hacker bug bounty program.
What You'll Do:
- Educate, provide guidance & recommendations to engineers on secure code practice practices.
- Apply service-oriented security architecture principles to ensure confidentiality, integrity, & availability (CIA) requirements are met.
- Identify & validate threats to CarGurus applications.
- Analyze results of dynamic & static code analysis & scanning in the CI pipeline.
- Assist in third-party web application vulnerability testing engagements.
- Work to remediate security vulnerabilities in the product to meet a defined Service Level Agreements (SLAs).
- Assist at integrating new security solutions into the product development lifecycle.
- Automate security configurations to support product user access controls.
- Bachelors Degree or equivalent combination of education & experience in Information Security or Computer Science.
- 2-4 years of experience as an application security practitioner with privacy by design experience.
- Prior experience as a penetration tester.
- Industry certifications such as SANS certifications (GWAPT) & others; CISSP (preferred, or CSSLP), OSCP (and related) are nice to have.
- Working knowledge of web/application-layer security & attack vectors. Conducting end-to-end application security assessments with application decomposition experience
- Familiarity with widely accepted vulnerability frameworks & guidance (CVSS, OWASP, NIST, etc.).
- Experience with RBAC models, SSO solutions, identity stores & directory services (SAML 2, OAuth 2, OIDC).
- Experience with authoring & maintaining application security policies, standards, & procedures.
- Familiarity with CIS & NIST security frameworks, & SOX compliance controls.
- Proactively tie technical security risks & to tactical organizational activities & goals.
- Operate with a pragmatic approach to risk while considering business needs.
- Clearly articulate issues & communicate in an effective & personable manner.
- Adjust quickly to the security needs of a highly agile organization, must be flexible & adaptable to change.
- Time management to effectively work across multiple projects.
- Establish relationships across multiple business units to inform & educate security industry norms
Research shows that while men apply to jobs when they meet an average of 60% of the criteria, women & other marginalized folks tend to only apply when they check every box. So if you think you have what it takes, but don't necessarily meet every single point on the job description, please still get in touch. We'd love to have a chat & see if you could be a great fit.
At CarGurus, we invest in our peoples professional growth with everything from learning & development programs to tuition reimbursement. Want to work on projects that expand your skill set without sacrificing your work/life balance? You got it. We also strive to provide perks & benefits that employees actually care about like free lunch, commuter subsidies, & more. That includes equity in the companyour way of showing that we want you here for the long haul.
We work hard every day to build the worlds most trusted & transparent automotive marketplace, but trust & transparency dont just apply to our consumers. They extend to our talent, too. We aim to create a workplace where everyone feels they can bring the ultimate expression of themselves & their potentialwhere you dont just fit, you thrive. We dont discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation.
CarGurus employees in the US can choose to work from home / remotely for the duration of 2021, or participate in a phased return to our beautiful office spaces. We expect most roles to be in-office at least 3 days a week beginning January 2022. In addition to the US, CarGurus operates sites in Canada & the UK. We have offices in Cambridge, MA; Detroit, MI; Dublin, Ireland; San Francisco, CA & London, UK. Check out our careers page to learn more.