Security Design & Engagement Lead

<br>

Job Description

<br>

Overview

CoStar Group (NASDAQ: CSGP) is a leading global provider of commercial and residential real estate information, analytics, and online marketplaces.  Included in the S&P 500 Index and the NASDAQ 100, CoStar Group is on a mission to digitize the world’s real estate, empowering all people to discover properties, insights and connections that improve their businesses and lives. 

We have been living and breathing the world of real estate information and online marketplaces for over 35 years, giving us the perspective to create truly unique and valuable offerings to our customers.  We’ve continually refined, transformed and perfected our approach to our business, creating a language that has become standard in our industry, for our customers, and even our competitors.  We continue that effort today and are always working to improve and drive innovation.  This is how we deliver for our customers, our employees, and investors.  By equipping the brightest minds with the best resources available, we provide an invaluable edge in real estate.   

We are seeking a Security Design & Engagement Lead to help transform how security is integrated into our software development lifecycle. This role will champion secure design principles, drive early engagement with development teams, and establish reusable security patterns that scale across CoStar’s diverse product portfolio.

You will work closely with product managers, architects, and developers to ensure security is considered from the first design discussion. You’ll also lead efforts to document secure design patterns, facilitate threat modeling sessions, and guide teams working on risk-sensitive applications.

This position is located in Arlington, VA and is in office Monday through Thursday and work from home on Friday.

Responsibilities

• Develop and maintain secure reference architectures and playbooks for web/mobile, microservices, data pipelines, serverless, Kubernetes, and other common design patterns.
• Expose secure patterns in both human-readable and AI-consumable formats.
• Lead proactive engagement with development teams during the design and planning phases of new applications. Turn security guidance into backlog items with owners, severity, and SLAs.
• Facilitate threat modeling workshops and curate reusable misuse and abuse-case libraries and self-serve templates resulting in actionable guidance on mitigating identified risks.  Track risk mitigations to closure.
• Collaborate with architects, engineers, and product owners to embed security controls into application blueprints including authn/z, data protection, service-to-service trust, API gateway, service-mesh, safe use of secrets. 
• Define security non-functional requirements (NFRs) and acceptance criteria baked into project epics and user stories.
• Review and respond to secure design pattern service requests, ensuring timely support and resolution.  Provide office hours and training.
• Promote and foster a culture of secure-by-design across engineering teams.  Publish and track adoption metrics.

Basic Qualifications

• Bachelor’s Degree required from an accredited, not for profit university or college.  
• A track record of delivering long-term impact to prior employers.
• 3+ years of experience in application security, security architecture, or secure SDLC practices.
• Proven experience writing technical standards, SOPs, and reference architectures.
• Ability to lead threat modeling (e.g., STRIDE, PASTA) exercises and tools; and coach software development teams to conduct threat modeling in their design stages.
• Strong understanding of secure design principles, authentication/authorization (OAuth, SAML, RBAC), and Zero Trust.
• Knowledge of cloud-native security controls (AWS, GCP, Azure), encryption, PKI, and secure coding practices.
• Excellent communicator with technical and non-technical stakeholders able to drive risk-based prioritization.
• Experience mapping secure design controls to OWASP ASVS (L2, L3)

Preferred Qualifications and Skills

• Professional certifications such as CISSP, CISM, or AWS/Azure security certifications.
• Experience with DevSecOps, CI/CD pipelines, and security testing tools (SAST, DAST).
• Delivered reference architectures, SDKs, modules, IaC (Terraform), and policy-as-code (OPA/Conftest, Semgrep rules/SARIF).
• Familiarity with governance and compliance frameworks (NIST, ISO 27001, PCI DSS).
• Prior experience leading culture change at scale (training, office hours, enablement) with adoption metrics.

What’s in it for You

When you join CoStar Group, you’ll experience a collaborative and innovative culture working alongside the best and brightest to empower our people and customers to succeed.

We offer you generous compensation and performance-based incentives. CoStar Group also invests in your professional and academic growth with internal training, and tuition reimbursement.

Our benefits package includes (but is not limited to):

• Comprehensive healthcare coverage: Medical / Vision / Dental / Prescription Drug
• Life, legal, and supplementary insurance
• Virtual and in person mental health counseling services for individuals and family
• Commuter and parking benefits
• 401(K) retirement plan with matching contributions
• Employee stock purchase plan
• Paid time off
• Tuition reimbursement
• On-site fitness center and/or reimbursed fitness center membership costs (location dependent), with yoga studio, Pelotons, personal training, group exercise classes
• Access to CoStar Group’s Diversity, Equity, & Inclusion Employee Resource Groups
• Complimentary gourmet coffee, tea, hot chocolate, fresh fruit, and other healthy snacks

We welcome all qualified candidates who are currently eligible to work full-time in the United States to apply.  However, please note that CoStar Group is not able to provide visa sponsorship for this position.

#LI-AR

<br>

CoStar Group is an Equal Employment Opportunity Employer; we maintain a drug-free workplace and perform pre-employment substance abuse testing