Staff Application Security Engineer

Carta develops purpose-built software that transforms traditional accounting into a powerful growth engine.

Carta’s world-class fund administration platform supports nearly 7,000 funds and SPVs, and represents nearly $130B in assets under management in venture capital and private equity.

Trusted by more than 40,000 companies, Carta also helps private businesses in over 160 countries manage their cap tables, valuations, taxes, equity programs, compensation, and more.

Together, Carta is setting a new standard as the end-to-end platform for private markets. Our best-in-class solution for fund management seamlessly integrates investor and portfolio company insights via a suite of tools designed ground-up to support the strategic impact of the fund CFO.

As a Staff Application Security Engineer with the power to change the product, the pipeline, and our developers onboarding, you’ll be able to help us design and evolve our product security program. We are the partners of product and infrastructure engineering and need curious minds to help us keep paving the way.

Some of the problems you’ll help us solve are:

• Define and drive the product security vision, strategies, and best practices across product teams.
• Mentor and guide junior security engineers and cross-functional teams on secure development practices.

Threat Modeling:

• Lead threat modeling exercises for new and existing products to identify potential security vulnerabilities.
• Develop and implement effective mitigation strategies in collaboration with product and engineering teams.
• Integrate security best practices into the Software Development Lifecycle (SDLC) and infrastructure design.
• Work closely with development and operations teams to design security into products from inception through deployment.

Vulnerability Management:

• Oversee comprehensive security testing, including code reviews, penetration testing, fuzz testing, and the development of automated security tools.

Bug Bounty Program Management:

• Manage and enhance our bug bounty programs and third-party security testing initiatives, engaging with platforms such as Bugcrowd.
• Evaluate vulnerability reports from external researchers, prioritize remediation efforts, and clearly communicate findings to relevant stakeholders.

Compliance & Continuous Improvement:

• Support compliance efforts to align with industry standards and regulations (e.g., SOC2, GLBA, etc.) while driving continuous improvement in security processes and policies.
• Assess and improve the security posture of supporting infrastructure and third-party integrations.
• Stay current with emerging security trends and technologies, integrating them into our security framework as appropriate.

Collaboration with Infrasec and Secops:

• Collaborate with infrastructure teams to secure cloud environments (AWS), container platforms (Docker, Kubernetes), and CI/CD pipelines.
• Participate in security incident response efforts, conduct root cause analyses, and coordinate remediation across teams in partnership with Security operations.

About You

• Bachelor’s or Master’s degree in Computer Science, Cybersecurity, or a related field.
• 8+ years of experience in product or application security with demonstrable expertise in secure software development and infrastructure security.
• Deep understanding of threat modeling, risk management, and vulnerability assessment methodologies.
• Experience with secure API development, microservices security, and addressing emerging infrastructure security challenges.
• Hands-on experience with security tools and experience integrating automated security testing into CI/CD pipelines.
• Excellent leadership, communication, and collaboration skills, with the ability to work effectively across diverse teams.

Nice to haves:

• Familiarity with cloud security best practices and container security technologies.
• Proven experience managing bug bounty programs and working with platforms such as Bugcrowd.
• Demonstrated track record in leading security initiatives within fast-paced, innovative environments.

Disclosures:

We are an equal opportunity employer and are committed to providing a positive interview experience for every candidate. If accommodations due to a disability or medical condition are needed, please connect with the talent partner via email.

• Please note that all official communications from us will come from an @carta.com or @carta-external.com domain. Report any contact from unapproved domains to security@carta.com.

Apply for this job

* indicates a required field

First Name *

Last Name *

Email *

Phone *

Location (City)

Resume/CV *

Accepted file types: pdf, doc, docx, txt, rtf

Are you currently eligible to work in the country where this position is located for any employer? * Select...

LinkedIn Profile *

GitHub

Website

Other

Which is your preferred office location(s)? * Select...

Do you now or in the future require visa sponsorship to continue working in the country where this position is located? * Select...

Have you worked for Carta at any other time previously? * Select...

AI Policy for Application & Interviewing: * Select...

While we encourage people to use AI systems during their role to help them work faster and more effectively, please do not use AI assistants during the application and interviewing process. We want to understand your personal interest in Carta without mediation through an AI system, and we also want to evaluate your non-AI-assisted communication skills. Please indicate 'Yes' if you have read and agree.