Principal Application Security Engineer

Category: Security
Location: Cambridge, US

Apply Now

Description

<div class="content-intro"><p><span style="font-size: 12pt;"><strong>Who we are<br></strong></span><span class="normaltextrun" style="font-size: 12pt;"><span style="color: black;">At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.</span></span></p> <p><span style="font-size: 12pt;"><strong>What we do</strong><br>The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters&nbsp;kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!</span></p></div><p><span style="font-size: 12pt;"><strong>Role overview</strong></span></p> <p><span style="font-size: 12pt;">The <strong>Principal Application Security Engineer </strong>will report to our Sr. Manager of Information Security and be responsible for continuously improving and maintaining the application security of our product offerings. The ideal candidate will have experience working in a SaaS environment, collaborating, and advising the Product, Development, Infrastructure, and Privacy teams on the best methods for securing our product.</span></p> <p><span style="font-size: 12pt;">This includes building a security first-in-mind approach for our products and enhancing our current Software Development Lifecycle (SDLC).</span></p> <p><span style="font-size: 12pt;">Educating product owners and engineers on secure development best practices is important to this role. The candidate must have solid presentation and delivery skills; a charismatic personality is a bonus.</span></p> <p><span style="font-size: 12pt;">The Engineer will have experience performing technical application threat analysis, threat modeling, defense in depth strategies, security control gap analysis, and threat mitigation. They must have a pragmatic approach to risk management by striking a balance between the organization’s risk tolerance and the security of our customers, partners and employees.</span></p> <p><span style="font-size: 12pt;">The candidate must be committed to the building an application security program that scales both technically and organizationally. Patience is key as you will be changing the oil while the car is running!</span></p> <p><span style="font-size: 12pt;">You will serve as the Lead Security Architect on new feature development and will be expected to participate on multiple Architecture Guilds.</span></p> <p><span style="font-size: 12pt;"><strong>What you'll do</strong></span></p> <p><span style="font-size: 12pt;">Program development</span></p> <ul> <li><span style="font-size: 12pt;">Implement a secure Systems and Software Development Lifecycle with security gates and testing across SAST, DAST, and vulnerability scans with an emphasis on automating tools and process integration.</span></li> <li><span style="font-size: 12pt;">Design, architect, and implement application security and privacy by design standards and policies in accordance with industry frameworks.</span></li> <li><span style="font-size: 12pt;">Educate, provide guidance and recommendations to engineers on secure code practice practices.</span></li> <li><span style="font-size: 12pt;">Define the DevSecOps strategy and partner with application teams for adoption and continuous security posture improvement.</span></li> <li><span style="font-size: 12pt;">Apply service-oriented security architecture principles to ensure confidentiality, integrity, and availability requirements are met.</span></li> <li><span style="font-size: 12pt;">Determine and define project scope, objectives, and deliverable for large-scale application security project.</span></li> <li><span style="font-size: 12pt;">Identify metrics and Key Performance Indicators (KPIs) for application security program.</span></li> </ul> <p><span style="font-size: 12pt;">Vulnerability management</span></p> <ul> <li><span style="font-size: 12pt;">Continue to mature the vulnerability management program.</span></li> <li><span style="font-size: 12pt;">Build dynamic and static code analysis and scanning into the CI/CD pipeline.</span></li> <li><span style="font-size: 12pt;">Manage third-party web application security testing engagements.</span></li> <li><span style="font-size: 12pt;">Manage and assist in remediating security vulnerabilities in the product to adhere to defined Service Level Agreements (SLAs).</span></li> </ul> <p><span style="font-size: 12pt;">Architecture</span></p> <ul> <li><span style="font-size: 12pt;">Research and integrate new security solutions into the product development lifecycle.</span></li> <li><span style="font-size: 12pt;">Establish automated security configurations to support product user access controls.</span></li> <li><span style="font-size: 12pt;">Work with the infrastructure engineering and product teams to conduct and complete security architecture reviews and designs for the product requirements.</span></li> </ul> <p><span style="font-size: 12pt;">Leadership</span></p> <ul> <li><span style="font-size: 12pt;">Encourage innovation, the implementation of cutting-edge technologies, inclusion, outside-of-the-box thinking, teamwork, self-organization, and diversity.</span></li> <li><span style="font-size: 12pt;">Act as lead member of incident response for application security.</span></li> <li><span style="font-size: 12pt;">Serve on the Security Guild and cross collaborate with other Architecture Guilds to ensure security is at the forefront of people’s minds.</span></li> <li><span style="font-size: 12pt;">Provide mentorship for junior team members.</span></li> </ul> <h2><span style="font-size: 12pt;">What you'll bring</span></h2> <ul> <li><span style="font-size: 12pt;">Bachelor’s Degree or equivalent combination of education and experience in Information Security or Computer Science.</span></li> <li><span style="font-size: 12pt;">7-12 years of experience as an application security practitioner with 3-5 years of security architecture and privacy by design experience.</span></li> <li><span style="font-size: 12pt;">Prior experience building and improving an application security program.</span></li> <li><span style="font-size: 12pt;">Industry certifications such as SANS certifications (GWAPT) and others; CISSP (preferred, or CSSLP), OSCP (and related) are nice to have.</span></li> <li><span style="font-size: 12pt;">Deep knowledge of web/application-layer security and attack vectors. Must be able to conduct end-to-end application security assessments with application decomposition experience with commercial dynamic and static code analysis tooling.</span></li> <li><span style="font-size: 12pt;">Familiarity with widely accepted vulnerability frameworks and guidance (CVSS, OWASP, NIST, etc.).</span></li> <li><span style="font-size: 12pt;">Solid understanding of RBAC models, SSO solutions, identity stores and directory services (SAML 2, OAuth 2, OIDC).</span></li> <li><span style="font-size: 12pt;">Proven track record of authoring and maintaining application security policies, standards, and procedures.</span></li> <li><span style="font-size: 12pt;">Familiarity with CIS and NIST security frameworks, and SOX compliance controls.</span></li> <li><span style="font-size: 12pt;">A “can-do”, positive attitude – team player.</span></li> <li><span style="font-size: 12pt;">Proactively tie technical security risks and to tactical organizational activities and goals.</span></li> <li><span style="font-size: 12pt;">Operate with a pragmatic approach to risk while considering business needs.</span></li> <li><span style="font-size: 12pt;">Clearly articulate issues and communicate in an effective and personable manner.</span></li> <li><span style="font-size: 12pt;">Adjust quickly to the security needs of a highly agile organization, must be flexible and adaptable to change.</span></li> <li><span style="font-size: 12pt;">Ability to manage all aspects of large-scale projects to bring about organizational change.</span></li> <li><span style="font-size: 12pt;">Build relationships across multiple business units to inform and education security best practices.</span></li> </ul><div class="content-conclusion"><p><span style="font-size: 12pt;"><strong>Working at CarGurus</strong> <br>We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.</span></p> <p><span style="font-size: 12pt;"><strong>We welcome all</strong><br>CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We want to know what only <em>you </em>can bring to CarGurus.</span></p> <p><span style="font-size: 12pt;" data-lucid-type="application/vnd.lucid.text" data-lucid-content="{&quot;t&quot;:&quot;Working at CarGurus \nWe reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.&quot;,&quot;m&quot;:[{&quot;s&quot;:0,&quot;n&quot;:&quot;a&quot;,&quot;v&quot;:&quot;left&quot;},{&quot;s&quot;:0,&quot;n&quot;:&quot;p&quot;,&quot;v&quot;:1.1036906734302876},{&quot;s&quot;:0,&quot;n&quot;:&quot;b&quot;,&quot;v&quot;:true,&quot;e&quot;:19},{&quot;s&quot;:0,&quot;n&quot;:&quot;c&quot;,&quot;v&quot;:&quot;#000000ff&quot;,&quot;e&quot;:21},{&quot;s&quot;:0,&quot;n&quot;:&quot;s&quot;,&quot;v&quot;:19.999999999999996,&quot;e&quot;:21},{&quot;s&quot;:19,&quot;n&quot;:&quot;p&quot;,&quot;v&quot;:1.1036906734302876},{&quot;s&quot;:21,&quot;n&quot;:&quot;a&quot;,&quot;v&quot;:&quot;left&quot;},{&quot;s&quot;:21,&quot;n&quot;:&quot;p&quot;,&quot;v&quot;:1.1036906734302876},{&quot;s&quot;:21,&quot;n&quot;:&quot;c&quot;,&quot;v&quot;:&quot;#1d1c1dff&quot;,&quot;e&quot;:730},{&quot;s&quot;:21,&quot;n&quot;:&quot;s&quot;,&quot;v&quot;:20,&quot;e&quot;:730}]}"><strong>Additional information</strong> <br></span><span data-lucid-type="application/vnd.lucid.text" data-lucid-content="{&quot;t&quot;:&quot;Working at CarGurus \nWe reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.&quot;,&quot;m&quot;:[{&quot;s&quot;:0,&quot;n&quot;:&quot;a&quot;,&quot;v&quot;:&quot;left&quot;},{&quot;s&quot;:0,&quot;n&quot;:&quot;p&quot;,&quot;v&quot;:1.1036906734302876},{&quot;s&quot;:0,&quot;n&quot;:&quot;b&quot;,&quot;v&quot;:true,&quot;e&quot;:19},{&quot;s&quot;:0,&quot;n&quot;:&quot;c&quot;,&quot;v&quot;:&quot;#000000ff&quot;,&quot;e&quot;:21},{&quot;s&quot;:0,&quot;n&quot;:&quot;s&quot;,&quot;v&quot;:19.999999999999996,&quot;e&quot;:21},{&quot;s&quot;:19,&quot;n&quot;:&quot;p&quot;,&quot;v&quot;:1.1036906734302876},{&quot;s&quot;:21,&quot;n&quot;:&quot;a&quot;,&quot;v&quot;:&quot;left&quot;},{&quot;s&quot;:21,&quot;n&quot;:&quot;p&quot;,&quot;v&quot;:1.1036906734302876},{&quot;s&quot;:21,&quot;n&quot;:&quot;c&quot;,&quot;v&quot;:&quot;#1d1c1dff&quot;,&quot;e&quot;:730},{&quot;s&quot;:21,&quot;n&quot;:&quot;s&quot;,&quot;v&quot;:20,&quot;e&quot;:730}]}"><span style="font-size: 12pt;">US employees must provide proof of full vaccination against COVID-19 unless they have an approved medical or religious accommodation. </span><span style="color: #ffffff;"><span style="font-size: 12pt;">#LI-H</span>ybrid</span></span></p></div>