Desired Skills and Experience
- Develop a threat model for the Wikimedia Foundation and all our projects and define the right security profile in collaboration with your peer group and our IT department.
- Run day-to-day security operations for the Wikimedia Foundation, including our community-facing and enterprise systems.
- Design incident response policies and execute incident response processes.
- Design and deploy account and content abuse detection mechanisms.
- Refine and improve access controls and audits.
- Lead security and privacy incident handling and response.
- Manage external security audits and pen tests and implement mitigation strategies to address discovered vulnerabilities.
- Serve as a subject matter expert on application security, communicating its impact on security, risk, and compliance decisions.
- Manage a team of up to six members, leading performance reviews, hiring, goal-setting, compensation planning, and career development.
- Design and develop security-centric enhancements of Wikimedia systems.
- Conduct security reviews of software designs and implementations.
- Deploy security patches to Wikimedia websites.
- Prepare periodic security releases of MediaWiki software.
- Define and manage department budget.
- Work with peer groups such as Legal, Office IT, Finance, Advancement and others in the Foundation to define:
- Strategies for addressing security and privacy concerns;
- Initiatives to maintain security as related to software design, development, documentation, and release; and
- Practices to ensure the privacy, security, and integrity of data throughout the collection, access, analysis, release, and retention processes.
- CISPP certification is highly desirable
- Bachelor’s degree and 12 yrs of related experience; or 8 yrs and a Master’s degree; or equivalent experience
- 5+ years of leadership experience in the Internet industry
- 5+ years of experience building web applications
- 3+ years of experience managing a software or security engineering team with a minimum of 5 direct reports
- Expert knowledge of common web application vulnerabilities (OWASP Top 10 / CWE Top 25)
- Experience with threat modeling and risk assessment
- Good understanding of privacy technologies, such as anonymization
- Experience integrating secure development life cycle processes
- Extensive experience building and maintaining large-scale server applications
- Proven record of finding and fixing software vulnerabilities
- Expert knowledge developing and debugging in Linux (LAMP) environments
- Excellent knowledge of PHP
- Experience with Linux system administration and automation using shell scripting (bash, ZSH, etc.)
- Excellent verbal and written communication skills
- Experience working on a large, mature open source project
- Experience as a contributor in the Wikipedia or Wikimedia project communities
- Experience with traditional information security concepts, including host- and network-based intrusion detection/prevention, host- and network-based firewalls, and application segmentation
- Experience with mobile application security for iOS and Android platforms
- Experience with PCI DSS audit and compliance more generally
- Experience managing an external security audit
- Experience with static analysis tools such as Veracode, pfff, PHP-sat and PHP_CodeSniffer
- Experience with C/C++ debugging using open source tools like gdb and Valgrind a major plus
- Experience with operating system internals, filesystems, programming language design, compilers, distributed systems, or server architectures
- Fully paid medical, dental, and vision coverage for employees and their eligible families (yes, fully paid premiums!)
- The Wellness Program provides reimbursement for mind, body, and soul activities such as fitness memberships, massages, cooking classes, and much more
- The 401(k) retirement plan offers matched contributions at 4% of annual salary
- Flexible and generous time off - vacation, sick, and volunteer days
- Pre-tax savings plans for health care, child care, elder care, public transportation, and parking expenses
- For those emergency moments - long and short term disability, life insurance (2x salary), and an employee assistance program
- Telecommuting and flexible work schedules available
- Appropriate fuel for thinking and coding (aka, a pantry full of treats) and monthly massages to help staff relax
- Great colleagues - international staff speaking dozens of languages from around the world, fantastic intellectual discourse, mission-driven, and intensely passionate people