Car shopping is complicated. At CarGurus, we use data & technology to make it simple, giving people the tools they need to confidently find, buy, finance, or sell a car. The best part? Our work makes a real impact. Were the most-visited car-shopping site in the US & we are growing fast in our international markets. Ready to come along for the ride?

CarGurus Information Security Team is looking for an Associate Application Security Engineer to join our On Ramp program! On Ramp is a 6-month training program aimed at helping entry-level engineers grow into productive members of the CarGurus Engineering Organization. This position is for students who are graduating in spring of 2022. Engineers in the On Ramp program will receive one month of classroom training & then transition to real-life projects with company-wide impact. For the duration of the program, engineers will receive personalized mentoring & coaching, additional training, & have the opportunity to build a valuable network with peers! Upon completion of the program, engineers are invited to continue collaborating with their project teams.

The Associate Application Security Engineer will report into our Vice President of Information Security & act as a key contributor to continuously improving & maintaining the application security of our product offerings. The ideal candidate will have experience working in a SaaS environment, collaborating, & advising the Product, Development, Infrastructure, & Privacy teams on the best methods for securing our product. This includes building a security first-in-mind approach for our products & enhancing our current Software Development Lifecycle (SDLC).

The engineer will perform technical application threat analysis, threat modeling, defense in depth strategies, security control gap analysis, & threat mitigation. They should have a pragmatic approach to risk management by striking a balance between the organizations risk tolerance & the security of our customers, partners, & employees.

The candidate should have experience with penetration testing & be able to detect security flaws in code & provide guidance to engineers on how to remediate them. This includes responding to internal & external contributors of our hacker bug bounty program.

What You'll Do:

The individual will work on project tasks at the direction of our Lead Application Security Engineer. They will gain exposure to new application security technologies & secure software development lifecycle (SDLC) as we continue to build our application security program.

Program development

• Educate, provide guidance & recommendations to engineers on secure code practice practices.
• Apply service-oriented security architecture principles to ensure confidentiality, integrity, & availability (CIA) requirements are met.

Vulnerability Management

• Identify & validate threats to CarGurus applications.
• Analyze results of dynamic & static code analysis & scanning in the CI pipeline.
• Assist in third-party web application vulnerability testing engagements.
• Work to remediate security vulnerabilities in the product to meet a defined Service Level Agreements (SLAs).

Architecture

• Assist at integrating new security solutions into the product development lifecycle.
• Automate security configurations to support product user access controls.

Technical Qualifications:

• Bachelors Degree or equivalent combination of education & experience in Information Security or Computer Science.
• Experience as an application security practitioner with privacy by design experience.
• Prior experience as a penetration tester.
• Industry certifications such as SANS certifications (GWAPT) & others; CISSP (preferred, or CSSLP), OSCP (and related) are nice to have.
• Proven understanding of web/application-layer security & attack vectors. Should be able to conduct end-to-end application security assessments with application decomposition experience.
• Familiarity with widely accepted vulnerability frameworks & guidance (CVSS, OWASP, NIST, etc.).
• Understanding of RBAC models, SSO solutions, identity stores & directory services (SAML 2, OAuth 2, OIDC).
• Experience with maintaining application security policies, standards, & procedures.
• Familiarity with CIS & NIST security frameworks, & SOX compliance controls.

Non-technical Qualifications:

• A can-do, positive attitude & phenomenal teammate.
• Proactively tie technical security risks to tactical organizational activities & goals.
• Clearly articulate issues & communicate in an effective & personable manner.
• Adjust quickly to the security needs of a highly agile organization, must be flexible & adaptable to change.
• Time management to effectively work across multiple projects.
• Build relationships across multiple business units to inform & educate security best practices.

CarGurus Culture:

Research shows that while men apply to jobs when they meet an average of 60% of the criteria, women & other marginalized folks tend to only apply when they check every box. So if you think you have what it takes, but don't necessarily meet every single point on the job description, please still get in touch. We'd love to have a chat & see if you could be a great fit.

At CarGurus, we invest in our peoples professional growth with everything from learning & development programs to tuition reimbursement. Want to work on projects that expand your skill set without sacrificing your work/life balance? You got it. We also strive to provide perks & benefits that employees actually care about like free lunch, commuter subsidies, & more. That includes equity in the companyour way of showing that we want you here for the long haul.

We work hard every day to build the worlds most trusted & transparent automotive marketplace, but trust & transparency dont just apply to our consumers. They extend to our talent, too. We aim to create a workplace where everyone feels they can bring the ultimate expression of themselves & their potentialwhere you dont just fit, you thrive. We dont discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation.