Application Security Engineer

Who we are

At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.

What we do

The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!

What You’ll Do: Develop and oversee the implementation of information security procedures and policies in a fast-moving, data-driven environment for millions of users across millions of cars globally. Duties include: implement secure software development measures into CI/CD pipelines; collaborate with software engineering teams to apply a shift-left security strategy in the development lifecycle; perform security assessment reviews and security audits across all areas of the business; facilitate risk mitigation by working with key business stakeholders while promoting an agile, innovative culture; perform technical application threat analysis, threat modeling, defense in-depth strategies, security control gap analysis, and threat mitigation; lead risk-focused culture and process change through training and interaction with key leaders; work closely with IT and Operations departments to ensure security standards, policies, and procedures are deeply embedded and understood; contribute to team that promotes security training programs; develops and implements risk reporting framework for management teams and government committees; and stay current with cyber security, privacy, and risk industry trends. Multiple positions.

Who You Are:  Bachelor’s degree (or foreign equivalent) in Information Technology, Computer Science, Electronics/Electrical Engineering, Computer Engineering, or a related field and five (5) years of experience in the job offered or related occupation. Position also requires five (5) years of experience with each of the following: web/application-layer security and attack vectors; working with vulnerability frameworks and guidance including CVSS, OWASP, or NIST; implementing SAST, DAST, and SCA tooling into the Software Development Lifecycle (SDLC); DevSecOps principles; integrating application tools within DevOps (CI/CD) pipelines; creating and maintaining Python/Bash scripts to run application security testing scans; risk assessment methodologies, frameworks, and procedures; risk assessment tools, technologies and methods; and planning, researching, and developing security policies, standards and procedures.
#LI-DNI

Working at CarGurus

We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.

We welcome all

CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We also encourage you to tell your recruiter if you require accommodations to participate in our hiring process due to a disability so we can provide the appropriate support. We want to know what only you can bring to CarGurus. #LI-Hybrid