Senior Application Security Engineer

Credit Karma is a mission-driven company, focused on championing financial progress for our more than 100 million members in the U.S., Canada and U.K.  While we're best known for pioneering free credit scores, our members turn to us for tips as they work on their  financial goals, including helping them monitor their credit, identity monitoring, searching for credit cards, shopping for loans (car, home and personal), filing their taxes with Credit Karma Tax and growing their savings* -- all for free. Credit Karma has grown significantly through the years: we've added more than 70 million members in the last five years alone and now have more than 1,100 employees across our offices in San Francisco, Charlotte, Los Angeles, Leeds, London and soon Oakland.

Security is a core value at Credit Karma. From the CEO down to each individual developer, everyone views security as a personal responsibility. Your mission as a Senior Application Security Engineer is to identify potential threats and vulnerabilities, educate engineers, mentor team members, and communicate with engineers to resolve any issues identified.

*Banking services provided by MVB Bank, Inc., Member FDIC

What the Job Entails

  • The Application Security team is a large team of professionals from various backgrounds who focus on securing our products. We perform traditional application security activities, preferring impact over security theatre. We will adopt the new techniques from SecDevOps teams to develop our own type of strategy, implementing automation of application security tasks and allowing us to focus on what is important.
  • Our mission is a real priority in the company. You will see from the first week of engineering on-boarding's required security training to our internal security champions program, security is in the forefront of every employee's mind. We own this part of the security program and are always looking to build out our internal training and awareness.
  • We perform security reviews over a wide variety of exciting domains, from getting the first glance at new microservices to reviewing our transition into the cloud. There are many products and services in which you can make an impact, bring your senior expertise in engineering and security concepts to bear across our company.
  • We are responsible for securing the company code and third party libraries. We are integrated with CI/CD pipelines and automating our way to a scalable solutions; the kind of solution you can contribute to by writing code and directly working with engineers to further the adoption of our security tools.
  • Our SDLC is integrated with the company's processes, and we work closely within our wider security organization to manage risk, coordinate, and move the entire company forward in our mission.

Your Expertise

  • You will have worked in the security industry for a minimum 8-10 years security experience. We welcome both red team and blue team members.
  • You are an expert in security vulnerabilities, knowledgeable in testing and remediation, and can communicate all of these concepts to your partners in engineering. From the OWASP Top Ten to more advanced concepts, you've seen it before and can describe it with ease.
  • You have worked in engineering or with engineers during your career, so you understand their work and obligations. Application Security works together with Engineering to meet both business needs and security requirements.
  • Communication and teamwork is important: Interpersonal skills and the ability to work together with organizations will be key to your success.
  • Eagerness to challenge the status quo, balanced with a reasonable and helpful approach to effecting change.

Desired Skills

  • Do you have expertise in some of these technologies? iOS, Android, GCP, JIRA, Git, CircleCI, Jenkins, Artifactory, Consul, Kubernetes, webpack, react, GraphQL, Apollo, finagle, MySQL, Splunk, InfluxDB, Grafana, node.js, TypeScript, PHP, and Scala.
  • Have you contributed to maintained multi-contributor security tools? We plan to build next generation security tools you cannot buy, and you have an opportunity to contribute.
  • Have you presented at security conferences and meet-ups? We want to hear about how you would take our program to the next level.

Equal Employment Opportunity
Credit Karma is committed to a diverse and inclusive work environment. We believe that such an environment advances long-term professional growth, creates a robust business, and supports our mission of championing financial progress for everyone. We offer generous benefits and perks with a single eye to nourishing an inclusive environment that recognizes the contributions of all and fosters diversity by supporting our internal Employee Resource Groups. We’ve worked hard to build an intensely collaborative and creative environment, a diverse and inclusive employee culture, and the opportunity for professional growth.
As part of the Credit Karma team, your voice will be heard, your contributions will matter, and your unique background and experiences will be celebrated. Credit Karma is also proud to be an Equal Opportunity Employer. We welcome all candidates without regard to race, color, religion, age, marital status, sex (including pregnancy, childbirth, or related medical condition), sexual orientation, gender identity or gender expression, national origin, veteran or military status, disability (physical or mental), genetic information, or any other protected characteristic. We prohibit discrimination of any kind and operate in compliance with the San Francisco Fair Chance Ordinance.

Back to top