Desired Skills and Experience

  • Develop a threat model for the Wikimedia Foundation and all our projects and define the right security profile in collaboration with your peer group and our IT department.
  • Run day-to-day security operations for the Wikimedia Foundation, including our community-facing and enterprise systems.
  • Design incident response policies and execute incident response processes.
  • Design and deploy account and content abuse detection mechanisms.
  • Refine and improve access controls and audits.
  • Lead security and privacy incident handling and response.
  • Manage external security audits and pen tests and implement mitigation strategies to address discovered vulnerabilities.
  • Serve as a subject matter expert on application security, communicating its impact on security, risk, and compliance decisions.
  • Manage a team of up to six members, leading performance reviews, hiring, goal-setting, compensation planning, and career development.
  • Design and develop security-centric enhancements of Wikimedia systems.
  • Conduct security reviews of software designs and implementations.
  • Deploy security patches to Wikimedia websites.
  • Prepare periodic security releases of MediaWiki software.
  • Define and manage department budget.
  • Work with peer groups such as Legal, Office IT, Finance, Advancement and others  in the Foundation to define:
  • Strategies for addressing security and privacy concerns;
  • Initiatives to maintain security as related to software design, development, documentation, and release; and
  • Practices to ensure the privacy, security, and integrity of data throughout the collection, access, analysis, release, and retention processes.
  • CISPP certification is highly desirable
  • Bachelor’s degree and 12 yrs of related experience; or 8 yrs and a Master’s degree; or equivalent experience
  • 5+ years of leadership experience in the Internet industry
  • 5+ years of experience building web applications
  • 3+ years of experience managing a software or security engineering team with a minimum of 5 direct reports
  • Expert knowledge of common web application vulnerabilities (OWASP Top 10 / CWE Top 25)
  • Experience with threat modeling and risk assessment
  • Good understanding of privacy technologies, such as anonymization
  • Experience integrating secure development life cycle processes
  • Extensive experience building and maintaining large-scale server applications
  • Proven record of finding and fixing software vulnerabilities
  • Expert knowledge developing and debugging in Linux (LAMP) environments
  • Excellent knowledge of PHP
  • Experience with Linux system administration and automation using shell scripting (bash, ZSH, etc.)
  • Excellent verbal and written communication skills
  • Experience working on a large, mature open source project
  • Experience as a contributor in the Wikipedia or Wikimedia project communities
  • Experience with traditional information security concepts, including host- and network-based intrusion detection/prevention, host- and network-based firewalls, and application segmentation
  • Experience with mobile application security for iOS and Android platforms
  • Experience with PCI DSS audit and compliance more generally
  • Experience managing an external security audit
  • Experience with static analysis tools such as Veracode, pfff, PHP-sat and PHP_CodeSniffer
  • Experience with C/C++ debugging using open source tools like gdb and Valgrind a major plus
  • Experience with operating system internals, filesystems, programming language design, compilers, distributed systems, or server architectures