Staff Software Engineer Product Security

The Company Youll Join

Carta connects founders investors and limited partners through worldclass software purposebuilt for everyone in venture capital private equity and private credit.

Cartas fund administration platform supports nearly 7000 funds and SPVs representing $150B in assets under administration in venture capital and private equity. Trusted by more than 40000 companies Carta also helps private businesses in over 160 countries manage their cap tables valuations taxes equity programs compensation and more.

Together Carta is creating the endtoend ERP platform for private markets. Traditional ERP solutions dont work for Private Funds. Private capital markets need a comprehensive software solution to replace outdated spreadsheets and fragmented service providers. Cartas software for the Office of the Fund CFO does just that its a new category of software to make private markets look more like public markets a connected ERP for private capital.

For more information about our offices and culture check out our Carta careers page.

The Problems Youll Solve

With the power to change the product the pipeline and our developers onboarding youll be able to help us design and evolve our product security program. We are the partners of product and infrastructure engineering and need curious minds to help us keep paving the way.

Some of the problems youll help us solve are:

Leadership & Strategy:

• Define and drive the product security vision strategies and best practices across product teams.
• Mentor and guide junior security engineers and crossfunctional teams on secure development practices.

Threat Modeling:

• Lead threat modeling exercises for new and existing products to identify potential security vulnerabilities.
• Develop and implement effective mitigation strategies in collaboration with product and engineering teams.

Secure Development & Architecture:

• Integrate security best practices into the Software Development Lifecycle (SDLC) and infrastructure design.
• Work closely with development and operations teams to design security into products from inception through deployment.

Vulnerability Management:

• Oversee comprehensive security testing including code reviews penetration testing fuzz testing and the development of automated security tools.

Bug Bounty Program Management:

• Manage and enhance our bug bounty programs and thirdparty security testing initiatives engaging with platforms such as Bugcrowd.
• Evaluate vulnerability reports from external researchers prioritize remediation efforts and clearly communicate findings to relevant stakeholders.

Compliance & Continuous Improvement:

• Support compliance efforts to align with industry standards and regulations (e.g. SOC2 GLBA etc) while driving continuous improvement in security processes and policies.
• Assess and improve the security posture of supporting infrastructure and thirdparty integrations.
• Stay current with emerging security trends and technologies integrating them into our security framework as appropriate.

Collaboration with Infrasec and Secops:

• Collaborate with infrastructure teams to secure cloud environments (AWS) container platforms (Docker Kubernetes) and CI/CD pipelines.
• Participate in security incident response efforts conduct root cause analyses and coordinate remediation across teams in partnership with Security operations.

Required Qualifications

• Bachelors or Masters degree in Computer Science Cybersecurity or a related field.
• 8 years of experience in product or application security with demonstrable expertise in secure software development and infrastructure security. (Strong preference for candidates who have been a Software Engineer and/or have experience building software applications.
• Deep understanding of threat modeling risk management and vulnerability assessment methodologies.
• Experience with secure API development microservices security and addressing emerging infrastructure security challenges.
• Proficiency in multiple programming languages (e.g. Python Django Java JavaScript) and familiarity with secure coding practices and frameworks such as OWASP SAMM.
• Handson experience with security tools and experience integrating automated security testing into CI/CD pipelines.
• Excellent leadership communication and collaboration skills with the ability to work effectively across diverse teams.

Nice to have Qualifications

• Familiarity with cloud security best practices and container security technologies.
• Proven experience managing bug bounty programs and working with platforms such as Bugcrowd.
• Demonstrated track record in leading security initiatives within fastpaced innovative environments.

Salary

Cartas compensation package includes a market competitive salary equity for all full time roles exceptional benefits and for applicable roles commissions plans. Our minimum cash compensation (salary commission if applicable) range for this role is:

• $246240 $307800 in Seattle WA
• $259200 $324000 in San Francisco CA or Santa Clara CA

Final offers may vary from the amount listed based on geography candidate experience and expertise and other factors.

Disclosures:

• We are an equal opportunity employer and are committed to providing a positive interview experience for every candidate. If accommodations due to a disability or medical condition are needed please connect with the talent partner via email.
• Carta uses EVerify in the United States for employment authorization. See the EVerify and Department of Justice websites for more details.
• For information on our data privacy policies seePrivacyCA Candidate Privacy and Brazil Transparency Report.
• Please note that all official communications from us will come from an @ or @ domain. Report any contact from unapproved domains to