Senior Security Engineer (DevSecOps)

About Carvana

“We believe CVNA is in the early stages of becoming the next U.S. retail category killer.” 

– Stephens Investment Bank, Analyst Report, Sept. 2024

Building leading-edge technology has been at the core of Carvana’s strategy since our founding, driving us to become the 3rd fastest company in history to organically reach the Fortune 500 following only Amazon and Google. Today, we remain founder-lead and as ambitious as ever. In 2024, we have not only emerged as the fastest growing automotive retailer, but also the most profitable thanks to our deep vertical integration across retail, lending, vehicle transportation, wholesale auctions, and more. 

If you want to grow not just as an Engineer but as a leader and business-builder, Carvana is the place for you. Our technology teams build: 

• End-to-end ecommerce for both selling and buying cars, including everything you see on Carvana.com and in our mobile apps.
• AI-driven customer support across chat, email, SMS, and voice, as well as a proprietary CRM platform to ensure the most efficient and highest quality customer experience.
• 360° vehicle photography and interactive merchandising using cutting edge computer vision and AI techniques.
• The most sophisticated and self-service automotive lending platform in the world.
• Systems and tools behind a nationwide logistics network that has delivered and picked up over 3 million cars via our fully owned and operated fleet of automotive haulers, efficiently managing distribution of our massive inventory to 85% of US driveways.
• Enterprise grade systems for operating the largest vehicle reconditioning facilities in the US, with workflow and automation to guide the work for everything mechanical, electrical, and cosmetic needed to bring each car to our high standards.
• Early adoption and customization of AI tools for optimizing our Developer efficiency and experience.

And much, much more…

THIS IS A 100% ON-SITE POSITION FROM OUR HQ IN TEMPE (Monday through Friday)

About the team and position:

We are hiring a Senior Security Engineer to join our DevSecOps Team. This role will bridge Application Security and DevSecOps, ensuring that our applications, services, and websites are designed and implemented with security by design, while also fortifying our security infrastructure. You will be responsible for discovering and addressing security risks, issues, and threats across the entire development lifecycle. This includes building security automation to enable secure development practices, evangelizing security with our engineering teams, and working closely with our Principal C# Engineer and Senior DevSecOps Engineer to fortify our Identity Provider (IdP) systems, manage edge security processes, and ensure the integrity of our microservices architecture.

Key Responsibilities:

• Drive and implement comprehensive security practices throughout the entire software development lifecycle, including (but not limited to):
• Integrating security into the Secure Security Development Lifecycle (SSDLC) and CI/CD pipeline.
• Fostering a culture of security-driven development through close collaboration with engineering, development, and operations teams.
• Act as a Subject Matter Expert (SME) in application and infrastructure security
• Provide expert advice, consultation, and training.
• Proactively identify, remediate, and manage vulnerabilities.
• Communicate complex technical security problems to technical and non-technical stakeholders.
• Collaborate with the Principal C# Engineer to enhance AuthN/AuthZ systems.
• Develop and maintain secure Identity Provider (IdP) systems utilizing C# on the backend.
• Work alongside the Senior DevSecOps Engineer to implement and manage firewalls, Security Incident Event Management (SIEM), and log storage systems (e.g., Splunk, Datadog).
• Oversee application security initiatives, including vulnerability assessments and penetration testing.
• Develop and manage a Security Champions program to promote security awareness and best practices throughout the organization.
• Consult on and help implement secure microservices architectures.
• Ensure scalability, resilience, and alignment with best practices for security infrastructure.

Qualifications:

• Solid understanding of edge security processes:
• Firewalls, SIEM, and log storage systems like Splunk or Datadog
• Hands-on experience in cloud security environments (Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP)).
• Hands-on experience with containers (Docker, Kubernetes).
• Experience with microservices architecture and infrastructure management.
• Demonstrated ability to balance security with agile release cycles.
• Extensive experience in:
• Development engineering or DevSecOps
• Cybersecurity
• Strong understanding of the Secure Software Development Lifecycle (SSDLC)
• Various build technologies, code repositories, and CI/CD pipeline processes (ADO, GitHub)
• Embedding security tooling
• Deep technical expertise and proficiency in:
• Authentication and Authorization services, including OAuth 2.0
• Identity Provider (IdP) systems and OpenId protocol
• Hands-on experience implementing such services in complex microservices environments.
• Comprehensive knowledge of various security domains:
• including web security (OWASP Top 10, CWE Top 25)
• secure coding practices
• identity management
• software development
• system administration
• network security
• Strong technical proficiency and experience with multiple programming languages (C#, Python, JavaScript, PowerShell), scripting languages, common security libraries, controls, and security flaws.
• Strong self-starter with technical acumen, communication and influence skills.
• Proven ability to solve complex problems, develop risk-based solutions, and balance security with engineering requirements, while also driving influence and change with stakeholders holding varying opinions on security topics.

Preferred Qualifications:

• Bachelor's degree in Computer Science or a related field, or equivalent practical experience.
• Advanced proficiency in C# development for backend services and security applications.
• Experience with Azure or AWS (Azure preferred) cloud infrastructure. 
• Hands-on experience with GitHub or Azure DevOps for version control, CI/CD pipelines, and security automation.
• Specialized knowledge of application security testing tools and methodologies (e.g., SAST, DAST, IAST).
• In-depth understanding of web application vulnerabilities and mitigation techniques.
• Experience implementing and managing secure AuthN and AuthZ systems including OAuth 2.0 and OpenId protocol.
• Familiarity with Azure Key Vault and other secrets management solutions.
• Certifications in relevant areas (e.g., CSSLP, Azure Security Engineer).

Why Join Us?

• Be part of a forward-thinking team that values innovation and collaboration.
• Opportunity to work on cutting-edge technology solutions.
• Comprehensive compensation package including competitive salary, 401K with company match, a wide range of perks (such as student loan payments and vehicle discounts), and a robust wellness program.
• Extensive professional development opportunities including training.
• Scholarships and discounts for ASU Online.
• Culture of internal promotions in a dynamic, rapidly growing company.

Legal Stuff

Hiring is contingent on passing a complete background check.  This role is not eligible for visa sponsorship.

Carvana is an equal employment opportunity employer.  All applicants receive consideration for employment without regard to race, color, religion, gender, sexual orientation, gender identity or expression, marital status, national origin, age, mental or physical disability, protected veteran status, or genetic information, or any other basis protected by applicable law.  Carvana also prohibits harassment of applicants or employees based on any of these protected categories.

Please note this job description is not designed to contain a comprehensive listing of activities, duties, or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.