Principal Security Engineer

at CarGurus
🇺🇸 United States - Remote
🔒 Cybersecurity🟡 Principal

Job description

Who we are

At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.

What we do

The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they’re not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!

Role overview

As a Principal Application Security Engineer, you’ll lead the charge in securing our product offerings, applying risk-based methodologies to vulnerabilities, and partnering with application and platform engineering teams for threat modeling, reporting to our Director of Information Security. This is a highly technical individual contributor role, ideal for someone with hands-on expertise who is excited to mentor and eventually grow into a leadership position.

What you’ll do

  • Coordinate business strategy, security design and review activities with various company teams.
  • Define security architecture and security controls.
  • Provide design and oversight into infrastructure security architectures.
  • Provide design and oversight into cloud security architectures.
  • Provide strategic consultation to business units, identifying and addressing potential security gaps, and advising on the necessary involvement of the security organization in various projects.
  • Apply risk-based methodologies to evaluate, prioritize, and address vulnerabilities and security findings.
  • Serve as a bridge between business and security teams, facilitating communi- cation and ensuring security requirements are integrated efficiently into business processes.
  • Research and implement new security tools, frameworks, and processes to enhance our security posture.
  • Advise software development and engineering teams to ensure that data collection, storage, transmission, and usage throughout development are transparent, security focused, and mitigate risk.
  • Provide technical leadership and oversight to application security activities and initiatives.
  • Oversee bug bounty and threat researcher programs.
  • Provide technical leadership and oversight to vulnerability threat management activities and initiatives.
  • Provide technical leadership and oversight to penetration testing activities and initiatives.
  • Provide security oversight and design guidance to the DevOps process.
  • Develop metrics to measure the application security program.
  • Establish automated configurations to enhance user access controls.
  • Educate and guide engineers on secure coding practices.
  • Mentor junior team members and foster a culture of continuous learning.
  • Actively participate in security incident response.

What you’ll bring

  • 7–12 years as an application security practitioner, including 3–5 years in security architecture.
  • Strong knowledge of web/application-layer security, attack vectors, and secure coding practices.
  • Experience conducting application threat modeling and performing in-depth security assessments.
  • Familiarity with frameworks like OWASP, CVSS, NIST, and CIS.
  • Proven expertise with SSO, RBAC models, OAuth 2.0, and other identity solutions.
  • GIAC certifications (e.g., GWAPT) or CISSP/CSSP.
  • Hands-on experience integrating security into product and software development initiatives.
  • Track record of developing and scaling application security programs.

Working at CarGurus

We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.

We welcome all

CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We also encourage you to tell your recruiter if you require accommodations to participate in our hiring process due to a disability so we can provide the appropriate support. We want to know what only you can bring to CarGurus. #LI-Hybrid

Share this job:
Please let CarGurus know you found this job on Remote First Jobs 🙏

Similar Remote Jobs

Latest Jobs at CarGurus

Benefits of using Remote First Jobs

Discover Hidden Jobs

Unique jobs you won't find on other job boards.

Advanced Filters

Filter by category, benefits, seniority, and more.

Priority Job Alerts

Get timely alerts for new job openings every day.

Manage Your Job Hunt

Save jobs you like and keep a simple list of your applications.

Search remote, work from home, 100% online jobs

We help you connect with top remote-first companies.

Search jobs

Hiring remote talent? Post a job

Frequently Asked Questions

What makes Remote First Jobs different from other job boards?

Unlike other job boards that only show jobs from companies that pay to post, we actively scan over 20,000 companies to find remote positions. This means you get access to thousands more jobs, including ones from companies that don't typically post on traditional job boards. Our platform is dedicated to fully remote positions, focusing on companies that have adopted remote work as their standard practice.

How often are new jobs added?

New jobs are constantly being added as our system checks company websites every day. We process thousands of jobs daily to ensure you have access to the most up-to-date remote job listings. Our algorithms scan over 20,000 different sources daily, adding jobs to the board the moment they appear.

Can I trust the job listings on Remote First Jobs?

Yes! We verify all job listings and companies to ensure they're legitimate. Our system automatically filters out spam, junk, and fake jobs to ensure you only see real remote opportunities.

Can I suggest companies to be added to your search?

Yes! We're always looking to expand our listings and appreciate suggestions from our community. If you know of companies offering remote positions that should be included in our search, please let us know. We actively work to increase our coverage of remote job opportunities.

How do I apply for jobs?

When you find a job you're interested in, simply click the 'Apply Now' button on the job listing. This will take you directly to the company's application page. We kindly ask you to mention that you found the position through Remote First Jobs when applying, as it helps us grow and improve our service 🙏

Apply