Staff Security Engineer

The Company You’ll Join

The Problems You'll Solve

Leadership & Strategy:

• Define and drive the product security vision, strategies, and best practices across product teams.
• Mentor and guide junior security engineers and cross-functional teams on secure development practices.

Threat Modeling & Risk Management:

• Lead threat modeling exercises and risk assessments for new and existing products to identify potential security vulnerabilities.
• Develop and implement effective mitigation strategies in collaboration with product and engineering teams.

Secure Development & Architecture:

• Integrate security best practices into the Software Development Lifecycle (SDLC) and infrastructure design.
• Work closely with development and operations teams to design security into products from inception through deployment.

Vulnerability Management:

• Oversee comprehensive security testing, including code reviews, penetration testing, fuzz testing, and the development of automated security tools.

Bug Bounty Program Management:

• Manage and enhance our bug bounty programs and third-party security testing initiatives, engaging with platforms such as Bugcrowd.
• Evaluate vulnerability reports from external researchers, prioritize remediation efforts, and clearly communicate findings to relevant stakeholders.

Compliance & Continuous Improvement:

• Ensure compliance with industry standards and regulations (e.g., SOC2, GLBA, etc) while driving continuous improvement in security processes and policies.
• Assess and improve the security posture of supporting infrastructure and third-party integrations.
• Stay current with emerging security trends and technologies, integrating them into our security framework as appropriate.

Collaboration with InfraSec and SecOps:

• Collaborate with infrastructure teams to secure cloud environments (AWS), container platforms (Docker, Kubernetes), and CI/CD pipelines.
• Coordinate  security  incident response efforts, conduct root cause analyses, and coordinate remediation across teams in partnership with Security operations.

About You

• Bachelor’s or Master’s degree in Computer Science, Cybersecurity, or a related field.
• 8+ years of experience in product or application security with demonstrable expertise in secure software development and infrastructure security.
• Deep understanding of threat modeling, risk management, and vulnerability assessment methodologies.
• Experience with secure API development, microservices security, and addressing emerging infrastructure security challenges.
• Proficiency in multiple programming languages (e.g., Python, Django, Java, JavaScript) and familiarity with secure coding practices.
• Hands-on experience with security tools  and experience integrating automated security testing into CI/CD pipelines.
• Excellent leadership, communication, and collaboration skills, with the ability to work effectively across diverse teams.

• Familiarity with cloud security best practices and container security technologies.
• Proven experience managing bug bounty programs and working with platforms such as Bugcrowd.
• Demonstrated track record in leading security initiatives within fast-paced, innovative environments.

• We are an equal opportunity employer and are committed to providing a positive interview experience for every candidate. If accommodations due to a disability or medical condition are needed, please connect with the talent partner via email. 
• Carta uses E-Verify in the United States for employment authorization. See the E-Verify and Department of Justice websites for more details.
• Interested in data privacy? Check out our policies on Privacy and CA Candidate Privacy.
• Please note that all official communications from us will come from an @carta.com or @carta-external.com domain.