Overview

The Wikimedia Foundation is looking for a Director of Security to ensure that rapid evolution of the Wikimedia software continues to preserve the security of the sites and the privacy of our users. We are looking for someone who is passionate about Wikimedia’s mission to bring free knowledge to every person on the planet, and who will strive to help Wikimedia software developers learn to incorporate secure thinking into their development practice.

The Director of Security will join the other Engineering Directors at Wikimedia who support engineers and designers building features, products, and services used by hundreds of millions of people around the world. This is an opportunity to do good while improving the security, stability, scalability, and maintainability of one of the best known sites in the world.

YOU ARE … a smart, experienced security professional that understands all aspects of security in a top web property. You have significant software security experience in large scale systems. You understand and enjoy running security operations. You know how to create and operate incident response systems. You have experience counseling engineering and non-engineering teams about the privacy and security implications of their projects and data releases, are familiar with the benefits and vulnerabilities of different anonymization techniques, and can swiftly and effectively manage security incidents. You understand the importance of testing and documentation, and common pitfalls in developing secure web applications. You know how to build software correctly and hold others to the same high standards. You understand the principles of open source software development and the importance of community building. You have experience with and enjoy building and mentoring security teams. You enjoy being part of a large, vibrant, passionate and involved community.

You will be leading a team responsible for ensuring the security and integrity of applications written in PHP, Python, JavaScript (Node.js) among others, using both relational and key-value data storage mechanisms.

As a Director of Security,ย weโ€™d like you to do these things:

  • Develop a threat model for the Wikimedia Foundation and all our projects and define the right security profile in collaboration with your peer group and our IT department.
  • Run day-to-day security operations for the Wikimedia Foundation, including our community-facing and enterprise systems.
  • Design incident response policies and execute incident response processes.
  • Design and deploy account and content abuse detection mechanisms.
  • Refine and improve access controls and audits.
  • Lead security and privacy incident handling and response.
  • Manage external security audits and pen tests and implement mitigation strategies to address discovered vulnerabilities.
  • Serve as a subject matter expert on application security, communicating its impact on security, risk, and compliance decisions.
  • Manage a team of up to six members, leading performance reviews, hiring, goal-setting, compensation planning, and career development.
  • Design and develop security-centric enhancements of Wikimedia systems.
  • Conduct security reviews of software designs and implementations.
  • Deploy security patches to Wikimedia websites.
  • Prepare periodic security releases of MediaWiki software.
  • Define and manage department budget.
  • Work with peer groups such as Legal, Office IT, Finance, Advancement and others ย in the Foundation to define:
    • Strategies for addressing security and privacy concerns;
    • Initiatives to maintain security as related to software design, development, documentation, and release; and
    • Practices to ensure the privacy, security, and integrity of data throughout the collection, access, analysis, release, and retention processes.

Weโ€™d like you to have these skills:

  • CISPP certification is highly desirable
  • Bachelorโ€™s degree and 12 yrs of related experience; or 8 yrs and a Masterโ€™s degree; or equivalent experience
  • 5+ years of leadership experience in the Internet industry
  • 5+ years of experience building web applications
  • 3+ years of experience managing a software or security engineering team with a minimum of 5 direct reports
  • Expert knowledge of common web application vulnerabilities (OWASP Top 10 / CWE Top 25)
  • Experience with threat modeling and risk assessment
  • Good understanding of privacy technologies, such as anonymization
  • Experience integrating secure development life cycle processes
  • Extensive experience building and maintaining large-scale server applications
  • Proven record of finding and fixing software vulnerabilities
  • Expert knowledge developing and debugging in Linux (LAMP) environments
  • Excellent knowledge of PHP
  • Experience with Linux system administration and automation using shell scripting (bash, ZSH, etc.)
  • Excellent verbal and written communication skills

And it would be even more awesome if you have this:

  • Experience working on a large, mature open source project
  • Experience as a contributor in the Wikipedia or Wikimedia project communities
  • Experience with traditional information security concepts, including host- and network-based intrusion detection/prevention, host- and network-based firewalls, and application segmentation
  • Experience with mobile application security for iOS and Android platforms
  • Experience with PCI DSS audit and compliance more generally
  • Experience managing an external security audit
  • Experience with static analysis tools such as Veracode, pfff, PHP-sat and PHP_CodeSniffer
  • Experience with C/C++ debugging using open source tools like gdb and Valgrind a major plus
  • Experience with operating system internals, filesystems, programming language design, compilers, distributed systems, or server architectures

Please provide URLs to any existing free software work you may have done (your own software or patches to other packages) if possible โ€“ we’d love to see what you can do!

Benefits & Perks *

  • Fully paid medical, dental and vision coverage for employees and their eligible families (yes, fully paid premiums!)
  • The Wellness Program provides reimbursement for mind, body and soul activities such as fitness memberships, massages, cooking classes and much more
  • The 401(k) retirement plan offers matched contributions at 4% of annual salary
  • Flexible and generous time off – vacation, sick and volunteer days, plus 19 paid holidays – including the last week of the year.
  • Family friendly! 100% paid new parent leave for seven weeks plus an additional five weeks for pregnancy, flexible options to phase back in after leave, fully equipped lactation room.
  • For those emergency moments – long and short term disability, life insurance (2x salary) and an employee assistance program
  • Pre-tax savings plans for health care, child care, elder care, public transportation and parking expenses
  • Telecommuting and flexible work schedules available
  • Appropriate fuel for thinking and coding (aka, a pantry full of treats) and monthly massages to help staff relax
  • Great colleagues – diverse staff and contractors speaking dozens of languages from around the world, fantastic intellectual discourse, mission-driven and intensely passionate people

* for benefits eligible staff, benefits may vary by location

More Information

http://wikimediafoundation.org

http://blog.wikimedia.org

About Wikimedia Foundation

The Wikimedia Foundation is the non-profit organization that operates Wikipedia, the free encyclopedia.

Wikipedia and the other projects operated by the Wikimedia Foundation receive more than 431 million unique visitors per month, making them the 5th most popular web property worldwide.

Available in more than 287 languages, Wikipedia contains more than 32 million articles contributed by a global volunteer community of more than 100,000 people.

Based in San Francisco, California, the Wikimedia Foundation is an audited, 501(c)(3) charity that is funded primarily through donations and grants. The Wikimedia Foundation was created in 2003 to manage the operation of Wikipedia and its sister projects. It currently employs over 208 staff members. Wikimedia is supported by local chapter organizations in 40 countries or regions.

The Wikimedia Foundation offers competitive benefits including fully paid medical, dental, and vision coverage for employees and their eligible families (yes, fully paid premiums!). The Wellness Program provides reimbursement for mind, body and soul activities such as fitness memberships, massages, cooking classes, and much more. The 401(k) retirement plan offers matched contributions at 4% of annual salary.