Application Security Engineer II

Role overview

CarGurus is seeking an Application Security Engineer II to join our Information Security team. Reporting to the Director of Information Security, you will play a critical role in improving and maintaining the security of our products. As an integral member of the team, you will collaborate with Product, Engineering, Infrastructure, and Privacy teams to build secure-by-design applications and foster a culture of security.

The ideal candidate is passionate about application security, experienced in securing SaaS environments, and skilled in working closely with cross-functional teams to identify and mitigate security risks.

What You’ll Do: 

• Partner with product and engineering teams to identify potential threats, vulnerabilities, and attack vectors in the design phase with active threat modeling.
• Perform in-depth analysis of applications, identifying security risks through penetration testing, dynamic/static analysis, and manual assessments.
• Operationalize and enhance static (SAST), dynamic (DAST), and software composition analysis (SCA) tools in the CI/CD pipeline to streamline security processes.
• Identify, validate, prioritize, and remediate vulnerabilities, aligning with risk-based methodologies and defined SLAs.

• Respond to findings from external researchers and bug bounty programs, ensuring timely triage, validation, and remediation.
• Contribute to the design and implementation of security controls and architecture for new and existing products.
• Participate in assessing third-party applications and libraries for security risks.
• Collaborate with engineering teams to embed security best practices throughout the SDLC, providing training and guidance as needed.

Technical Qualifications: 

• At least 3 years of experience in Information Security. 
• Experience with modern programming languages, particularly Python and JavaScript.
• Proficiency with security testing tools such as Burp Suite, ZAP, or equivalent.
• Hands-on experience with SAST, DAST, and SCA tools (e.g., Checkmarx, Veracode, GitHub Advanced Security).
• Familiarity with vulnerability frameworks and scoring systems (e.g., CVSS, NIST 800-53).
• Knowledge of secure design principles, authentication/authorization mechanisms, and encryption best practices.

Non-technical Qualifications: 

• Strong communication skills with the ability to convey complex security issues to non-technical stakeholders.
• A pragmatic approach to balancing security risks with business needs.
• A collaborative mindset with a "can-do" attitude and adaptability to a fast-paced, dynamic environment.
• Strong organizational and time management skills to handle multiple priorities effectively.