Principal Security Engineer, Applications
Boston, Massachusetts, United States
CarGurus
Unbiased car reviews and over a million opinions and photos from real people. Use CarGurus to find the best used car deals.Who we are
At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.
What we do
The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!
Role overview
As a Principal Application Security Engineer, you’ll lead the charge in securing our product offerings, applying risk-based methodologies to vulnerabilities, and partnering with application and platform engineering teams for threat modeling, reporting to our Director of Information Security. This is a highly technical individual contributor role, ideal for someone with hands-on expertise who is excited to mentor and eventually grow into a leadership position.
What you'll do
Core Responsibilities:
- Coordinate business strategy, security design and review activities with various company teams.
- Define security architecture and security controls.
- Provide design and oversight into infrastructure security architectures.
- Provide design and oversight into cloud security architectures.
- Provide strategic consultation to business units, identifying and addressing potential security gaps, and advising on the necessary involvement of the security organization in various projects.
- Apply risk-based methodologies to evaluate, prioritize, and address vulnerabilities and security findings.
- Serve as a bridge between business and security teams, facilitating communi- cation and ensuring security requirements are integrated efficiently into business processes.
- Research and implement new security tools, frameworks, and processes to enhance our security posture.
Vulnerability and Risk Management:
- Advise software development and engineering teams to ensure that data collection, storage, transmission, and usage throughout development are transparent, security focused, and mitigate risk.
- Provide technical leadership and oversight to application security activities and initiatives.
- Oversee bug bounty and threat researcher programs.
- Provide technical leadership and oversight to vulnerability threat management activities and initiatives.
- Provide technical leadership and oversight to penetration testing activities and initiatives.
- Provide security oversight and design guidance to the DevOps process.
- Develop metrics to measure the application security program.
- Establish automated configurations to enhance user access controls.
Mentorship and Collaboration:
- Educate and guide engineers on secure coding practices.
- Mentor junior team members and foster a culture of continuous learning.
- Actively participate in security incident response.
What you'll bring
Must-Have Qualifications:
- 7–12 years as an application security practitioner, including 3–5 years in security architecture.
- Strong knowledge of web/application-layer security, attack vectors, and secure coding practices.
- Experience conducting application threat modeling and performing in-depth security assessments.
- Familiarity with frameworks like OWASP, CVSS, NIST, and CIS.
- Proven expertise with SSO, RBAC models, OAuth 2.0, and other identity solutions.
Nice-to-Have Qualifications:
- GIAC certifications (e.g., GWAPT) or CISSP/CSSP.
- Hands-on experience integrating security into product and software development initiatives.
- Track record of developing and scaling application security programs.
Working at CarGurus
We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.
We welcome all
CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We also encourage you to tell your recruiter if you require accommodations to participate in our hiring process due to a disability so we can provide the appropriate support. We want to know what only you can bring to CarGurus. #LI-Hybrid
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: Application security CISSP Cloud CVSS DevOps GIAC GWAPT Incident response NIST OWASP Pentesting Risk management Security assessment SSO Strategy Vulnerabilities
Perks/benefits: Career development Equity / stock options Flex hours Flex vacation Transparency
More jobs like this
Explore more career opportunities
Find even more open roles below ordered by popularity of job title or skills/products/technologies used.