Cargurus - Boston, MA
posted 18 days ago
Full-time - Senior
Boston, MA
Motor Vehicle and Parts Dealers
About the position
As a Principal Application Security Engineer at CarGurus, you will play a critical role in securing product offerings and leading vulnerability evaluations. This position involves collaborating with engineering teams for threat modeling, mentoring team members, overseeing security design, managing risk, and enhancing the overall security posture of the organization. You will serve as a bridge between business and security, ensuring effective communication and integration of security requirements into business processes.
Responsibilities
- Coordinate business strategy, security design and review activities with various company teams.
- Define security architecture and security controls.
- Provide design and oversight into infrastructure security architectures.
- Provide design and oversight into cloud security architectures.
- Provide strategic consultation to business units, identifying and addressing potential security gaps.
- Apply risk-based methodologies to evaluate, prioritize, and address vulnerabilities and security findings.
- Serve as a bridge between business and security teams, facilitating communication and ensuring security requirements are integrated efficiently into business processes.
- Research and implement new security tools, frameworks, and processes to enhance our security posture.
- Advise software development and engineering teams to ensure that data collection, storage, transmission, and usage throughout development are transparent and security-focused.
- Provide technical leadership and oversight to application security activities and initiatives.
- Oversee bug bounty and threat researcher programs.
- Provide technical leadership and oversight to vulnerability threat management activities and initiatives.
- Provide technical leadership and oversight to penetration testing activities and initiatives.
- Provide security oversight and design guidance to the DevOps process.
- Develop metrics to measure the application security program.
- Establish automated configurations to enhance user access controls.
- Educate and guide engineers on secure coding practices.
- Mentor junior team members and foster a culture of continuous learning.
- Actively participate in security incident response.
Requirements
- 7-12 years as an application security practitioner, including 3-5 years in security architecture.
- Strong knowledge of web/application-layer security, attack vectors, and secure coding practices.
- Experience conducting application threat modeling and performing in-depth security assessments.
- Familiarity with frameworks like OWASP, CVSS, NIST, and CIS.
- Proven expertise with SSO, RBAC models, OAuth 2.0, and other identity solutions.
Nice-to-haves
- GIAC certifications (e.g., GWAPT) or CISSP/CSSP.
- Hands-on experience integrating security into product and software development initiatives.
- Track record of developing and scaling application security programs.
Benefits
- Equity for all employees
- Flexible hybrid model
- Robust time off policies
- Daily free lunch
- New car discount
- Meditation and fitness apps
- Commuting cost coverage
