Application Security Engineer
Cambridge, MA
CarGurus
Unbiased car reviews and over a million opinions and photos from real people. Use CarGurus to find the best used car deals.Who we are
At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.
What we do
The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!
What You’ll Do: Develop and oversee the implementation of information security procedures and policies in a fast-moving, data-driven environment for millions of users across millions of cars globally. Duties include: implement secure software development measures into CI/CD pipelines; collaborate with software engineering teams to apply a shift-left security strategy in the development lifecycle; perform security assessment reviews and security audits across all areas of the business; facilitate risk mitigation by working with key business stakeholders while promoting an agile, innovative culture; perform technical application threat analysis, threat modeling, defense in-depth strategies, security control gap analysis, and threat mitigation; lead risk-focused culture and process change through training and interaction with key leaders; work closely with IT and Operations departments to ensure security standards, policies, and procedures are deeply embedded and understood; contribute to team that promotes security training programs; develops and implements risk reporting framework for management teams and government committees; and stay current with cyber security, privacy, and risk industry trends. Multiple positions.
Who You Are: Bachelor’s degree (or foreign equivalent) in Information Technology, Computer Science, Electronics/Electrical Engineering, Computer Engineering, or a related field and five (5) years of experience in the job offered or related occupation. Position also requires five (5) years of experience with each of the following: web/application-layer security and attack vectors; working with vulnerability frameworks and guidance including CVSS, OWASP, or NIST; implementing SAST, DAST, and SCA tooling into the Software Development Lifecycle (SDLC); DevSecOps principles; integrating application tools within DevOps (CI/CD) pipelines; creating and maintaining Python/Bash scripts to run application security testing scans; risk assessment methodologies, frameworks, and procedures; risk assessment tools, technologies and methods; and planning, researching, and developing security policies, standards and procedures.
#LI-DNI
Working at CarGurus
We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.
We welcome all
CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We also encourage you to tell your recruiter if you require accommodations to participate in our hiring process due to a disability so we can provide the appropriate support. We want to know what only you can bring to CarGurus. #LI-Hybrid
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: Agile Application security Audits Bash CI/CD Computer Science CVSS DAST DevOps DevSecOps NIST OWASP Privacy Python Risk assessment SAST SDLC Security assessment Security strategy Strategy
Perks/benefits: Career development Equity Flex hours Flex vacation Startup environment Transparency
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Principal Security Engineer jobs
- Open Information Security Specialist jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Ethical hacker / Pentester H/F jobs
- Open Senior Cyber Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Cyber Security Specialist jobs
- Open Manager Pentest H/F jobs
- Open Cybersecurity Analyst jobs
- Open Product Security Engineer jobs
- Open Staff Security Engineer jobs
- Open Chief Information Security Officer jobs
- Open Senior Information Security Analyst jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Senior Information Security Engineer jobs
- Open Senior Penetration Tester jobs
- Open IT Security Analyst jobs
- Open Security Specialist jobs
- Open Consultant SOC / CERT H/F jobs
- Open Cybersecurity Consultant jobs
- Open IT Security Engineer jobs
- Open Security Researcher jobs
- Open Sr. Security Engineer jobs
- Open Cybersecurity Specialist jobs
- Open Security Operations Analyst jobs
- Open Windows-related jobs
- Open CISM-related jobs
- Open Network security-related jobs
- Open Pentesting-related jobs
- Open ISO 27001-related jobs
- Open Agile-related jobs
- Open Application security-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open IAM-related jobs
- Open Analytics-related jobs
- Open CISA-related jobs
- Open Threat intelligence-related jobs
- Open SaaS-related jobs
- Open APIs-related jobs
- Open Security assessment-related jobs
- Open Java-related jobs
- Open Malware-related jobs
- Open Forensics-related jobs
- Open DevOps-related jobs
- Open Security Clearance-related jobs
- Open IDS-related jobs
- Open CEH-related jobs
- Open EDR-related jobs
- Open Kubernetes-related jobs