The Cybersecurity Engineer II in our Application Security Program plays a key role in enhancing the security program for a company and national brand that has been listed on the Fortune 100 Best Places to Work.
We work in a collaborative environment where your ideas can help shape the direction and development of critical security capabilities. You will work with a team of talented professionals who are focused on solving complex security challenges and supporting product innovation through technology. Our team is not afraid to fail fast, learn, and find better ways to operate.
This role requires flexibility, adaptability to change, and a willingness to ask questions that lead to meaningful security posture improvements for CarMax.
What You Will Do – Essential Responsibilities
Implement, operate, and continuously improve application security solutions, including SAST, DAST, API security, container security, and software composition analysis (SCA).
Support development and product teams by providing functional and technical guidance on application security findings and remediation approaches.
Assist in embedding security into the software development lifecycle (SDLC) through tooling, automation, and collaborative partnerships with engineering teams rather than enforcement-based gates.
Contribute to security automation efforts in CI/CD pipelines, leveraging security-as-code principles where applicable.
Collaborate with senior engineers on threat modeling activities for web, API, and serverless applications.
Learn and apply secure design principles for Azure and Azure Functions.
Independently manage assigned tasks and smaller projects, escalating risk or complexity as appropriate.
Effectively triage support issues and respond with the appropriate level of urgency.
Participate in a 24x7 on-call rotation as scheduled, including limited after-hours support when needed.
Required Qualifications
Relevant experience in cybersecurity, application development, DevSecOps, or a closely related technical discipline.
Strong foundational knowledge of application security concepts, web vulnerabilities (OWASP Top 10), and secure coding principles.
Practical knowledge of Azure and serverless application security, including hands-on exposure to Azure Functions.
Functional experience with at least one programming or scripting language (e.g., Python, PowerShell, JavaScript, .NET).
Hands-on exposure to SAST and/or DAST tools, including interpreting findings and recommending remediation.
Familiarity with Azure-native application architectures, CI/CD pipelines, and DevSecOps concepts, with interest in security automation.
Strong analytical, troubleshooting, and problem-solving skills.
Effective written and verbal communication skills, with the ability to explain security concepts to technical audiences.
Strong organization, time management, and prioritization skills.
Preferred Qualifications
Experience with API security, container security, or Kubernetes security concepts.
Exposure to threat modeling methodologies for applications and services, including serverless architectures.
Basic understanding of applied cryptography, web security, TLS/SSL, and authentication protocols (e.g., OAuth, SAML).
Interest in using automation or AI-assisted tooling to improve security efficiency (e.g., triage, code review assistance).
Education and/or Experience
Bachelor’s degree in computer science, Engineering, Cybersecurity, or a related field, or equivalent alternative education, skills, and/or practical experience.
2+ years of work experience in cybersecurity or other areas directly relevant to cybersecurity responsibilities.
Knowledge of developer tools such as GitHub, Azure DevOps, and TeamCity.
Understanding of development and product teams and DevSecOps best practices.
Security certifications such as Security+ or CSSLP (or progress toward advanced certifications).
Work Location and Arrangement: This role will be based out of the CarMax Home Office in Richmond, VA. Associates based in Richmond work onsite 5 days per week.
Work Authorization: Applicants must be currently authorized to work in the United States on a full-time basis. Sponsorship will not be considered for this specific role.
About CarMax
CarMax disrupted the auto industry by delivering the honest, transparent and high-integrity experience customers want and deserve. This innovative thinking around the way cars are bought and sold has helped us become the nation’s largest retailer of used cars, with over 200 locations nationwide.
Our amazing team of more than 25,000 associates work together to deliver iconic customer experiences. Along the way, we help every associate grow their career and achieve their best, at work and in their community. We are recognized for our commitment to training and diversity and are one of the FORTUNE 100 Best Companies to Work For®.
Our Commitment to Diversity and Inclusion:
CarMax is committed to bringing together people from different backgrounds and perspectives, providing employees with a safe, welcoming, and inclusive work environment.
CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, protected veteran status, disability status, or any other characteristic protected by law.
Upon an applicant's request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.