Senior Product Security Engineer

Credit Karma•Charlotte, NC

About The Position

Intuit Credit Karma is a mission-driven company, focused on championing financial progress for our more than 140 million members globally. While we're best known for pioneering free credit scores, our members turn to us for everything related to their financial goals, including identity monitoring, applying for credit cards, shopping for insurance and loans (car, home and personal) and savings accounts and checking accounts – all for free. Credit Karma has grown significantly through the years: we now have more than 1,700 employees across our offices in Oakland, Charlotte, Culver City, San Diego, London, Bangalore, and New York City. Banking services provided by MVB Bank, Inc., Member FDIC We’re hiring a Senior Product Security Engineer to lead the design and deployment of security capabilities across both traditional application security and AI/ML systems. You’ll build and integrate security tooling leveraging open-source and vendor solutions to strengthen our Secure Development Lifecycle and vulnerability reduction efforts (including SAST, DAST, SCA, secrets scanning, and vulnerability management) while also securing the full AI lifecycle: data ingestion, training/fine-tuning, evaluation, model registry, inference, agentic workflows, and MCP servers/tools. You’ll partner closely with product engineering, ML engineering, and platform teams to implement scalable controls, define standards, and operationalize continuous assurance across apps and AI systems, covering secure coding practices, supply chain integrity, identity and access controls, runtime protections, and AI-specific risks such as model security, prompt/tool safety, and AI pipeline governance.

Requirements

6+ years in product/application security in large-scale systems.
Demonstrated experience building or operationalizing security tooling (CI/CD integrations, scanners, policy engines, security automation, detection/monitoring).
Strong foundation in security architecture, design reviews, and threat modeling for modern cloud-native systems.
Practical understanding of AI/ML systems and workflows: model development lifecycle, model registry/deployments, evals, vector databases/RAG, and agent frameworks.
Deep familiarity with common software vulnerabilities (OWASP Top 10) and modern cloud threats; strong ability to communicate risk to engineers.
Ability to collaborate with software engineers and ML engineers—meeting business goals while enforcing security requirements.
Experience applying security and compliance frameworks (examples: NIST, ISO 27001/27002 concepts, SOC2 controls, OAuth/OIDC, PCI where relevant).
Proficiency in one or more: Python, Go, Java, TypeScript/Node, Rust, Scala.

Nice To Haves

Hands-on experience securing agentic workflows, tool calling, function execution, and MCP servers (or similar tool/plugin servers).
Experience with LLM platforms and deployments (e.g., GPT, Gemini, Claude, Llama) and associated security risks and mitigations.
Familiarity with AI threat landscape and testing approaches: prompt injection (direct/indirect), tool injection, RAG poisoning, data leakage, jailbreaks, model extraction/inversion risks.
Experience with provenance and integrity controls: artifact signing, attestations, SBOMs, SLSA-style build practices, model/dataset lineage, registry governance.
Familiarity with secure model onboarding (third-party/open model risk), license/compliance considerations, and lifecycle governance.
Exposure to cloud security tooling and environments (e.g., GCP/AWS/Azure), Kubernetes, service mesh, IAM, secrets management (Vault/KMS), OPA/policy-as-code, CI/CD (CircleCI/GitHub Actions), and observability (Splunk).
Experience designing enterprise-wide security patterns and standards (reference architectures, paved roads).
Strong cryptography fundamentals and real-world usage (TLS, HMAC, key management, encryption at rest/in transit).

Responsibilities

Lead security architecture reviews and threat modeling across both traditional software systems and AI/ML systems (apps, APIs, cloud services, agents, tool integrations, MCP servers, orchestration frameworks)
Define and implement security controls across the SDLC and AI lifecycle (design, build, test, deploy, operate and data, training, eval, registry, inference and monitoring)
Establish guardrails for agentic systems: tool authorization, least privilege, sandboxing, action validation, safe autonomy patterns
Build and maintain “secure-by-default” automation for engineering teams (policy-as-code, CI/CD gates, risk scoring, provenance verification)
Evolve SAST/DAST/SCA programs: tool selection/tuning, pipeline integration, rules/baselines, false-positive reduction, and developer workflows
Evaluate and integrate open-source and vendor tooling for AppSec and AI security (code scanning, dependency scanning, DAST, secrets scanning, model scanning, prompt safety, agent runtime monitoring, data leakage controls)
Develop reusable security patterns and reference implementations (secure libraries/SDKs, templates, controls) for web, mobile, API, and AI services
Implement AI supply chain protections: dataset/model provenance, artifact signing, model registry governance, reproducible builds, dependency integrity
Enforce secure access and distribution controls for services and models: versioning, approvals, RBAC/ABAC, encryption, secure storage, deployment attestations
Partner with platform teams to secure infrastructure and runtime: IAM, secrets management, Kubernetes/container hardening, network controls, logging/monitoring, isolation boundaries
Automate validation for AI-specific risks (prompt/tool injection, indirect prompt injection, data exfiltration, jailbreaks, malicious retrieval content, unsafe tool use, privacy attacks where applicable) and common AppSec risks (OWASP Top 10, authn/z, injection, SSRF, deserialization, etc.)