Senior Application Security Engineer

Technology - DC Metro Area Centreville, Virginia


Description

Join Team CARFAX as a Senior Application Security Engineer 

Isn't it time you bragged about where you work? At CARFAX, we do, every day. We pride ourselves on being mission-focused on helping to grow a brand built on accuracy and integrity. We care deeply about our products and our customers. We’re more than just a company: We help millions of consumers make more informed decisions every day. We know that our teammates are our most valuable asset, and we value a balanced life while tackling challenging projects in a fast-paced environment.  

We are seeking a highly skilled and motivated Senior Application Security Engineer to join our dynamic Information Security team. The ideal candidate will be responsible for ensuring the security of our applications by identifying, evaluating, and mitigating security vulnerabilities, as well as implementing best practices and security standards. This role offers an exciting opportunity to work with a diverse set of applications and technologies in a fast-paced and innovative environment.

At CARFAX, we believe in the power of teamwork and value in-person interactions so that we can collaborate and thrive together. This position will require 3 days per week in our Centreville, VA office subject to change with future business needs.

What you’ll be doing:

  • Conduct manual and automated security assessments of web, mobile, and cloud-based applications.
  • Implement and maintain application security testing tools (SAST, DAST, and IAST) and coordinate related vulnerability remediation activities.
  • Conduct & coordinate both internal and 3rd party penetration testing engagements.
  • Collaborate with development, DevOps, and infrastructure teams to integrate security practices into the Software Development Lifecycle (SDLC).
  • Prepare and present security reports to management, highlighting key metrics, risks, and mitigation strategies.
  • Identify and prioritize potential application security threats through the use of modeling and risk assessments.
  • Assist with the detection, triage, and response to security incidents, while conducting root cause analysis and post-incident reviews to improve security posture.
  • Develop and deliver security training and awareness programs for developers, QA, and other relevant teams.
  • Design, deploy, and maintain security solutions such as Endpoint Detection and Response (EDR), data-loss prevention (DLP), web application firewalls (WAF), zero-trust, and other security detection/prevention technologies.
  • Stay updated with the latest security trends, threats, and technology developments.
  • Evaluate new security tools and technologies to enhance the security posture of our applications.

What we’re looking for:

  • Bachelor’s degree in Computer Science, Information Security, or a related field, or equivalent practical experience.
  • Proven experience (5+ years) in application security, including security assessment, penetration testing, and secure code review.
  • Strong understanding of security principles, including OWASP Top Ten, CWE/SANS Top 25, and other industry-standard security frameworks.
  • Hands-on experience with security tools such as Burp Suite, OWASP ZAP, Veracode, Checkmarx, Fortify, Nessus, NMAP, Kali Linux etc.
  • Proficiency in one or more programming languages (e.g., Java, C#, Python, JavaScript).
  • Working knowledge of common web technologies like HTML, CSS, JavaScript, HTTP/HTTPS, APIs, etc as well as basic understanding of web application architectures (e.g., client-server model). 
  • Knowledge of cloud security principles and experience with cloud platforms (e.g., AWS, Azure, GCP).
  • Strong analytical and problem-solving skills, with the ability to think like an attacker to identify potential security weaknesses.
  • Excellent communication and interpersonal skills to effectively collaborate with cross-functional teams and explain complex security concepts to non-technical stakeholders.
  • Careful approach to reviewing code, configurations, and application logic.

What’s in it for you:

  • Competitive compensation, benefits and generous time-off policies
  • 4-Day summer work weeks and a winter holiday break
  • 401(k)/DCPP matching
  • Annual bonus program
  • Casual, dog-friendly, and innovative office spaces
  • For a comprehensive list of benefits, please visit our website: https://jobs.jobvite.com/carfax/p/benefits

Don’t just take our word for it:

  • 10X Virginia Business Best Places to Work
  • 10X Washingtonian Great Places to Work
  • 9X Washington Post Top Workplace
  • 3X Louis Post-Dispatch Best Places to Work

About CARFAX

CARFAX, part of S&P Global Mobility, helps millions of people every day confidently shop, buy, service and sell used cars with innovative solutions powered by CARFAX vehicle history information. The expert in vehicle history since 1984, CARFAX provides exclusive services like CARFAX Used Car Listings, CARFAX Car Care, CARFAX History-Based Value and the flagship CARFAX® Vehicle History Report™ to consumers and the automotive industry. CARFAX owns the world’s largest vehicle history database and is nationally recognized as a top workplace by The Washington Post and Glassdoor.com. Shop, Buy, Service, Sell – Show me the CARFAX™. S&P Global Mobility is a division of S&P Global (NYSE: SPGI). S&P Global is the world’s foremost provider of credit ratings, benchmarks, analytics and workflow solutions in the global capital, commodity and automotive markets.

CARFAX is an Affirmative Action/Equal Opportunity Employer. It is the policy of CARFAX to provide equal employment opportunity to all persons regardless of race, color, sex, pregnancy, religion, national origin, age, ancestry, citizenship status, veteran status, military status, disability or handicap, sexual orientation, genetic information or any other status protected by federal, state or local law. In addition, CARFAX will provide reasonable accommodations for qualified individuals with disabilities. We maintain a drug-free workplace. We are a participant in E-Verify.