Who we are

At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we're the largest and fastest-growing automotive marketplace, and we've been profitable for over 15 years.

What we do

The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus-our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!

• Coordinate business strategy, security design and review activities with various company teams.
• Define security architecture and security controls.
• Provide design and oversight into infrastructure security architectures.
• Provide design and oversight into cloud security architectures.
• Provide strategic consultation to business units, identifying and addressing potential security gaps, and advising on the necessary involvement of the security organization in various projects.
• Apply risk-based methodologies to evaluate, prioritize, and address vulnerabilities and security findings.
• Serve as a bridge between business and security teams, facilitating communi- cation and ensuring security requirements are integrated efficiently into business processes.
• Research and implement new security tools, frameworks, and processes to enhance our security posture.

• Advise software development and engineering teams to ensure that data collection, storage, transmission, and usage throughout development are transparent, security focused, and mitigate risk.
• Provide technical leadership and oversight to application security activities and initiatives.
• Oversee bug bounty and threat researcher programs.
• Provide technical leadership and oversight to vulnerability threat management activities and initiatives.
• Provide technical leadership and oversight to penetration testing activities and initiatives.
• Provide security oversight and design guidance to the DevOps process.
• Develop metrics to measure the application security program.
• Establish automated configurations to enhance user access controls.

• Educate and guide engineers on secure coding practices.
• Mentor junior team members and foster a culture of continuous learning.
• Actively participate in security incident response.

• 7-12 years as an application security practitioner, including 3-5 years in security architecture.
• Strong knowledge of web/application-layer security, attack vectors, and secure coding practices.
• Experience conducting application threat modeling and performing in-depth security assessments.
• Familiarity with frameworks like OWASP, CVSS, NIST, and CIS.
• Proven expertise with SSO, RBAC models, OAuth 2.0, and other identity solutions.

• GIAC certifications (e.g., GWAPT) or CISSP/CSSP.
• Hands-on experience integrating security into product and software development initiatives.
• Track record of developing and scaling application security programs.