Application Security Engineer

Cambridge, MA


Unbiased car reviews and over a million opinions and photos from real people. Use CarGurus to find the best used car deals.

View company page

Who we are

At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.

What we do

The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!

What You’ll Do: Develop and oversee the implementation of information security procedures and policies in a fast-moving, data-driven environment for millions of users across millions of cars globally. Duties include: implement secure software development measures into CI/CD pipelines; collaborate with software engineering teams to apply a shift-left security strategy in the development lifecycle; perform security assessment reviews and security audits across all areas of the business; facilitate risk mitigation by working with key business stakeholders while promoting an agile, innovative culture; perform technical application threat analysis, threat modeling, defense in-depth strategies, security control gap analysis, and threat mitigation; lead risk-focused culture and process change through training and interaction with key leaders; work closely with IT and Operations departments to ensure security standards, policies, and procedures are deeply embedded and understood; contribute to team that promotes security training programs; develops and implements risk reporting framework for management teams and government committees; and stay current with cyber security, privacy, and risk industry trends. Multiple positions.


Who You Are:  Bachelor’s degree (or foreign equivalent) in Information Technology, Computer Science, Electronics/Electrical Engineering, Computer Engineering, or a related field and five (5) years of experience in the job offered or related occupation. Position also requires five (5) years of experience with each of the following: web/application-layer security and attack vectors; working with vulnerability frameworks and guidance including CVSS, OWASP, or NIST; implementing SAST, DAST, and SCA tooling into the Software Development Lifecycle (SDLC); DevSecOps principles; integrating application tools within DevOps (CI/CD) pipelines; creating and maintaining Python/Bash scripts to run application security testing scans; risk assessment methodologies, frameworks, and procedures; risk assessment tools, technologies and methods; and planning, researching, and developing security policies, standards and procedures.

Working at CarGurus

We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.

We welcome all

CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We also encourage you to tell your recruiter if you require accommodations to participate in our hiring process due to a disability so we can provide the appropriate support. We want to know what only you can bring to CarGurus. #LI-Hybrid

Apply now Apply later
  • Share this job via
  • or

* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰

Tags: Agile Application security Audits Bash CI/CD Computer Science CVSS DAST DevOps DevSecOps NIST OWASP Privacy Python Risk assessment SAST SDLC Security assessment Security strategy Strategy

Perks/benefits: Career development Equity Flex hours Flex vacation Startup environment Transparency

Region: North America
Country: United States
Job stats:  8  2  0

More jobs like this

Explore more InfoSec / Cybersecurity career opportunities

Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.