Application Security Engineer II

Who we are
At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we're the largest and fastest-growing automotive marketplace, and we've been profitable for over 15 years.
What we do
The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus-our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!
Role overview
CarGurus is seeking an Application Security Engineer II to join our Information Security team. Reporting to the Director of Information Security, you will play a critical role in improving and maintaining the security of our products. As an integral member of the team, you will collaborate with Product, Engineering, Infrastructure, and Privacy teams to build secure-by-design applications and foster a culture of security.
The ideal candidate is passionate about application security, experienced in securing SaaS environments, and skilled in working closely with cross-functional teams to identify and mitigate security risks.
What You'll Do:

• Partner with product and engineering teams to identify potential threats, vulnerabilities, and attack vectors in the design phase with active threat modeling.
• Perform in-depth analysis of applications, identifying security risks through penetration testing, dynamic/static analysis, and manual assessments.
• Operationalize and enhance static (SAST), dynamic (DAST), and software composition analysis (SCA) tools in the CI/CD pipeline to streamline security processes.
• Identify, validate, prioritize, and remediate vulnerabilities, aligning with risk-based methodologies and defined SLAs.

• Respond to findings from external researchers and bug bounty programs, ensuring timely triage, validation, and remediation.
• Contribute to the design and implementation of security controls and architecture for new and existing products.
• Participate in assessing third-party applications and libraries for security risks.
• Collaborate with engineering teams to embed security best practices throughout the SDLC, providing training and guidance as needed.

Technical Qualifications:

• At least 3 years of experience in Information Security.
• Experience with modern programming languages, particularly Python and JavaScript.
• Proficiency with security testing tools such as Burp Suite, ZAP, or equivalent.
• Hands-on experience with SAST, DAST, and SCA tools (e.g., Checkmarx, Veracode, GitHub Advanced Security).
• Familiarity with vulnerability frameworks and scoring systems (e.g., CVSS, NIST 800-53).
• Knowledge of secure design principles, authentication/authorization mechanisms, and encryption best practices.

Non-technical Qualifications:

• Strong communication skills with the ability to convey complex security issues to non-technical stakeholders.
• A pragmatic approach to balancing security risks with business needs.
• A collaborative mindset with a "can-do" attitude and adaptability to a fast-paced, dynamic environment.
• Strong organizational and time management skills to handle multiple priorities effectively.

Working at CarGurus
We reward our Gurus' curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.
We welcome all
CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential-starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That's why we hope you'll apply even if you don't check every box listed in the job description. We also encourage you to tell your recruiter if you require accommodations to participate in our hiring process due to a disability so we can provide the appropriate support. We want to know what only you can bring to CarGurus. #LI-Hybrid