Senior Application Security Engineer

Security is a core value at Credit Karma. We help millions of people better manage their credit. Safeguarding their sensitive information is critical to our continued success. From the CEO down to each individual developer, everyone views security as a personal responsibility. Your unique mission as a Software Security Engineer is to identify potential weaknesses in the foundational infrastructure and strategically reinforce them, enabling the engineering team to focus fiercely on new features.

What the Job Entails

  • Evaluate the key frameworks (and their ecosystems) that form the core platform for Credit Karma Engineering, looking for areas where framework improvements could eliminate the potential for vulnerabilities to be introduced.
  • Envision, design and implement core libraries and wrappers which surface key security concerns and automatically address them wherever possible.
  • Help make sure security capabilities are used correctly.
  • Support vulnerability remediation by recommending holistic solutions instead of brittle point-fixes.
  • Refactor existing codebase to leverage new security framework capabilities with an eye toward transition from monolithic to service-oriented architecture.

Our Ideal Candidate

  • B.S. in Computer Science or related technical major or significant job experience.
  • Minimum 5 years security experience, both as a builder and breaker, preferably.
  • Technical depth in many, if not most of the following areas: LAMP stack, Node.js, Scala/Java, mobile, PKI, HTTP-based SOA/microservices, encryption, hashing, tokenization, secure randomness, Hardware Security Modules (HSMs), canonicalization, output encoding, message-based security, rate-limiting, anti-automation, role-based access control (RBAC), and large-scale data transport.
  • Working knowledge of all vulnerability classes on the OWASP Periodic Table of Vulnerabilities, with strong conceptualization of designs that make it impossible for developers to introduce those vulnerabilities.
  • Thorough understanding of InfoSec control frameworks and how they can be realistically implemented.
  • Thought leadership in the security field, with demonstrable contributions to industry groups strongly desired.
  • Artful communication skills and organizational savvy, to steer peers and leadership toward solutions that carefully balance business, risk, compliance, and engineering concerns.
  • Eagerness to challenge the status quo, balanced with a reasonable and methodical approach to effecting change.
  • A fun and positive attitude!


Back to top