All Jobs
CarGurus
Posted on 
Dec 17, 2024

Principal Security Engineer, Applications

Boston
Apply NowApply Now
CarGurus
CarGurus
CarGurus

CarGurus

https://careers.cargurus.com/
Public
1001-5000
Consumer Products & Tech

Headquartered in Cambridge, Massachusetts, CarGurus is the all-in-one platform that’s moving the entire car shopping journey online and guiding customers through each step. This includes everything from selling an old car to financing, purchasing, and delivering a new one. Today, millions of consumers visit cargurus.com each month, and more than 30,000 dealerships use our products. We have a people-first culture that fosters kindness, collaboration, and innovation, while empowering our Gurus with tools and resources to fuel their career growth. Our goal is to give all people—consumers, dealers, and our employees—the power to reach their destination. 

Job Description

Role overview

As a Principal Application Security Engineer, you’ll lead the charge in securing our product offerings, applying risk-based methodologies to vulnerabilities, and partnering with application and platform engineering teams for threat modeling, reporting to our Director of Information Security. This is a highly technical individual contributor role, ideal for someone with hands-on expertise who is excited to mentor and eventually grow into a leadership position.

What you'll do

Core Responsibilities:

  • Coordinate business strategy, security design and review activities with various company teams.
  • Define security architecture and security controls.
  • Provide design and oversight into infrastructure security architectures.
  • Provide design and oversight into cloud security architectures.
  • Provide strategic consultation to business units, identifying and addressing potential security gaps, and advising on the necessary involvement of the security organization in various projects.
  • Apply risk-based methodologies to evaluate, prioritize, and address vulnerabilities and security findings.
  • Serve as a bridge between business and security teams, facilitating communication and ensuring security requirements are integrated efficiently into business processes.
  • Research and implement new security tools, frameworks, and processes to enhance our security posture.

Vulnerability and Risk Management:

  • Advise software development and engineering teams to ensure that data collection, storage, transmission, and usage throughout development are transparent, security focused, and mitigate risk.
  • Provide technical leadership and oversight to application security activities and initiatives.
  • Oversee bug bounty and threat researcher programs.
  • Provide technical leadership and oversight to vulnerability threat management activities and initiatives.
  • Provide technical leadership and oversight to penetration testing activities and initiatives.
  • Provide security oversight and design guidance to the DevOps process.
  • Develop metrics to measure the application security program.
  • Establish automated configurations to enhance user access controls.

Mentorship and Collaboration:

  • Educate and guide engineers on secure coding practices.
  • Mentor junior team members and foster a culture of continuous learning.
  • Actively participate in security incident response.

What you'll bring

Must-Have Qualifications:

  • 7–12 years as an application security practitioner, including 3–5 years in security architecture.
  • Strong knowledge of web/application-layer security, attack vectors, and secure coding practices.
  • Experience conducting application threat modeling and performing in-depth security assessments.
  • Familiarity with frameworks like OWASP, CVSS, NIST, and CIS.
  • Proven expertise with SSO, RBAC models, OAuth 2.0, and other identity solutions.

Nice-to-Have Qualifications:

  • GIAC certifications (e.g., GWAPT) or CISSP/CSSP.
  • Hands-on experience integrating security into product and software development initiatives.
  • Track record of developing and scaling application security programs.

Role overview

As a Principal Application Security Engineer, you’ll lead the charge in securing our product offerings, applying risk-based methodologies to vulnerabilities, and partnering with application and platform engineering teams for threat modeling, reporting to our Director of Information Security. This is a highly technical individual contributor role, ideal for someone with hands-on expertise who is excited to mentor and eventually grow into a leadership position.

What you'll do

Core Responsibilities:

  • Coordinate business strategy, security design and review activities with various company teams.
  • Define security architecture and security controls.
  • Provide design and oversight into infrastructure security architectures.
  • Provide design and oversight into cloud security architectures.
  • Provide strategic consultation to business units, identifying and addressing potential security gaps, and advising on the necessary involvement of the security organization in various projects.
  • Apply risk-based methodologies to evaluate, prioritize, and address vulnerabilities and security findings.
  • Serve as a bridge between business and security teams, facilitating communication and ensuring security requirements are integrated efficiently into business processes.
  • Research and implement new security tools, frameworks, and processes to enhance our security posture.

Vulnerability and Risk Management:

  • Advise software development and engineering teams to ensure that data collection, storage, transmission, and usage throughout development are transparent, security focused, and mitigate risk.
  • Provide technical leadership and oversight to application security activities and initiatives.
  • Oversee bug bounty and threat researcher programs.
  • Provide technical leadership and oversight to vulnerability threat management activities and initiatives.
  • Provide technical leadership and oversight to penetration testing activities and initiatives.
  • Provide security oversight and design guidance to the DevOps process.
  • Develop metrics to measure the application security program.
  • Establish automated configurations to enhance user access controls.

Mentorship and Collaboration:

  • Educate and guide engineers on secure coding practices.
  • Mentor junior team members and foster a culture of continuous learning.
  • Actively participate in security incident response.

What you'll bring

Must-Have Qualifications:

  • 7–12 years as an application security practitioner, including 3–5 years in security architecture.
  • Strong knowledge of web/application-layer security, attack vectors, and secure coding practices.
  • Experience conducting application threat modeling and performing in-depth security assessments.
  • Familiarity with frameworks like OWASP, CVSS, NIST, and CIS.
  • Proven expertise with SSO, RBAC models, OAuth 2.0, and other identity solutions.

Nice-to-Have Qualifications:

  • GIAC certifications (e.g., GWAPT) or CISSP/CSSP.
  • Hands-on experience integrating security into product and software development initiatives.
  • Track record of developing and scaling application security programs.
Apply NowApply Now
Why apply via Tech Ladies
Recommended Jobs
No items found.
See All Jobs
Receive Tech Ladies'
newest jobs in your inbox,
every week.

Join Tech Ladies for full-access to the job board, member-only events, and more!

If you're already a member, we haven't forgotten you. We promise. It's a new system. If you fill out the form once, it'll remember you going forward. Apologies for the inconvenience.

Boston
Boston
Java
Java
JavaScript
JavaScript
JQuery
JQuery
Node.Js
Node.Js
Python
Python
R
R
React
React
Redux
Redux
Ruby
Ruby
Spring
Spring
SQL
SQL
AWS
AWS
Kubernetes
Kubernetes
Docker
Docker
Jenkins
Jenkins
Elasticsearch
Elasticsearch
Kafka
Kafka
No items found.
In-Person
In-Person