Overview
Mozilla Enterprise Information Security is responsible for the day to day security of Mozilla systems and properties, including those delivering Firefox to millions of users and powering 10,000+ volunteers and developers.
As a penetration tester for the Mozilla Enterprise Information Security team you will proactively, collaboratively and purposely test and evaluate the operational security stance of key Mozilla services, vendors, systems and integrations as implemented. You will be a primary operative for assessing vendor, SaaS and other proposed implementations and integrations to key Mozilla systems with an eye towards understanding the complete set of security controls for a business function and the actual security assurance those controls provide.
About you
You wonder how things work. You wonder if they can be made to work differently long after others have stopped reading the manual. You understand that penetration testing is more than vulnerability scanning. You are not afraid to responsibly question a vendor’s representation of their security, yet understand that no solution offers perfect security. You understand that a system is more than the sum of its parts and that the parts often include internal, external, vendors, SaaS, cloud providers and in-house components. You are able and eager to work with business-focused people on solutions to mitigate security issues in existing and proposed systems.
Key focus areas
- Participate in recurrent penetration testing/red team exercises at Mozilla
- Perform security reviews of vendor security for proposed services, software purchases, SaaS integrations, and RFPs
- Define, standardize and document the process and artifacts of system and vendor reviews
- Actively test the security stance of our services as provided through SaaS, PaaS, cloud providers, or offices and Mozilla data centers
- Partner with key Mozilla web sites to help them enhance their security posture
- Participate in the Web Security Bug bounty program to help triage reports through to completed remediations
- Determine the effective security stance of Mozilla properties as implemented using a combination of approaches (code reviews, white box, black box testing, hands-on scanning, phishing, social engineering, etc.)
- Validate that security controls perform as expected and planned
- Validate vulnerability ratings through hands-on testing of Mozilla services as implemented in a variety of our operating environments including cloud providers, platform as a service, in house data centers, office locations, etc
- Recommend fixes for vulnerabilities discovered during testing exercises
- Writing exploits and/or proof of concept code that demonstrate the impact of vulnerabilities found
- Regularly test the implementation of security controls and vulnerability ratings of services inside and outside Mozilla, including SaaS, PaaS, cloud providers, etc.
- Integration of continuous penetration testing into a variety of traditional and DevOps environments
Additional responsibilities
- Writing unit tests to alert us on regressions with vulnerabilities
- Automation of both day-to-day and critical functions
- Provide design, architecture, and operational guidance on a variety of projects
Skills and experience
- Bachelor’s degree in computer science (or related program) or equivalent work experience
- Demonstrated experience using a mix of commercial, open source and in-house developed tools as needed to exercise security controls, discover weaknesses and test response capabilities
- Proficient in at least Python or Ruby. JavaScript, Golang, PHP, C, etc are a plus
- Able to quickly dive into source code and understand its organization, point out typical dangerous code patterns, provide guidance, etc.
- Demonstrated experience operating in sensitive, operational production environments, red teaming, and/or CTF type events
- 3+ years of experience in hands-on web application penetration testing engagements
- Comfortable discussing security impact, risks, vulnerabilities and threats to a variety of audiences and capable of balancing security with the need to move projects forward
- Comfortable with open and direct communication in a very transparent culture, navigating strong opinions while driving towards organizational goals
We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.
About Mozilla
Mozilla is a thriving global community of technologists, thinkers and builders working collaboratively and openly to keep the Internet alive and accessible for all.
When you work at Mozilla, you give yourself a chance to make a difference in the lives of Web users everywhere. And you give us a chance to make a difference in your life every day. Join our team today and together we’ll make a better Web for tomorrow.
We’re a global community of users, contributors and developers working to keep the power of the Web in people’s hands. The collaborative efforts of Mozillians around the world drive forward the principles and aims of the Mozilla Manifesto.
• More than 1,000 volunteers contribute code to Firefox
• 400,000 people contribute to Mozilla through our project tracking system Bugzilla
• SUMO, Mozilla’s community-powered support site, helps an average of 10,000 Firefox users per week
• Students from more than 600 institutions in 57 countries spread Firefox as Mozilla Campus Representatives
Fast Facts about Mozilla:
• Half a billion people around the world use Firefox
• Firefox is free and open source software, with approximately 40% of its code written by volunteers
• Firefox is available in 89 languages
• More than 50% of global Firefox users use non-English versions
• Offices include: Auckland, Beijing, London, Mountain View, Paris, San Francisco, Portland, Taipei, Tokyo, Toronto, Vancouver