The Wikimedia Foundation is looking for a Director of Security to ensure that rapid evolution of the Wikimedia software continues to preserve the security of the sites and the privacy of our users. We are looking for someone who is passionate about Wikimedia's mission to bring free knowledge to every person on the planet, and who will strive to help Wikimedia software developers learn to incorporate secure thinking into their development practice.
The Director of Security will join the other Engineering Directors at Wikimedia who support engineers and designers building features, products, and services used by hundreds of millions of people around the world. This is an opportunity to do good while improving the security, stability, scalability, and maintainability of one of the best known sites in the world.
YOU ARE ... a smart, experienced security professional that understands all aspects of security in a top web property. You have significant software security experience in large scale systems. You understand and enjoy running security operations. You know how to create and operate incident response systems. You have experience counseling engineering and non-engineering teams about the privacy and security implications of their projects and data releases, are familiar with the benefits and vulnerabilities of different anonymization techniques, and can swiftly and effectively manage security incidents. You understand the importance of testing and documentation, and common pitfalls in developing secure web applications. You know how to build software correctly and hold others to the same high standards. You understand the principles of open source software development and the importance of community building. You have experience with and enjoy building and mentoring security teams. You enjoy being part of a large, vibrant, passionate and involved community.
As a Director of Security, we’d like you to do these things:
- Develop a threat model for the Wikimedia Foundation and all our projects and define the right security profile in collaboration with your peer group and our IT department.
- Run day-to-day security operations for the Wikimedia Foundation, including our community-facing and enterprise systems.
- Design incident response policies and execute incident response processes.
- Design and deploy account and content abuse detection mechanisms.
- Refine and improve access controls and audits.
- Lead security and privacy incident handling and response.
- Manage external security audits and pen tests and implement mitigation strategies to address discovered vulnerabilities.
- Serve as a subject matter expert on application security, communicating its impact on security, risk, and compliance decisions.
- Manage a team of up to six members, leading performance reviews, hiring, goal-setting, compensation planning, and career development.
- Design and develop security-centric enhancements of Wikimedia systems.
- Conduct security reviews of software designs and implementations.
- Deploy security patches to Wikimedia websites.
- Prepare periodic security releases of MediaWiki software.
- Define and manage department budget.
- Work with peer groups such as Legal, Office IT, Finance, Advancement and others in the Foundation to define:
- Strategies for addressing security and privacy concerns;
- Initiatives to maintain security as related to software design, development, documentation, and release; and
- Practices to ensure the privacy, security, and integrity of data throughout the collection, access, analysis, release, and retention processes.
We’d like you to have these skills:
- CISPP certification is highly desirable
- Bachelor’s degree and 12 yrs of related experience; or 8 yrs and a Master’s degree; or equivalent experience
- 5+ years of leadership experience in the Internet industry
- 5+ years of experience building web applications
- 3+ years of experience managing a software or security engineering team with a minimum of 5 direct reports
- Expert knowledge of common web application vulnerabilities (OWASP Top 10 / CWE Top 25)
- Experience with threat modeling and risk assessment
- Good understanding of privacy technologies, such as anonymization
- Experience integrating secure development life cycle processes
- Extensive experience building and maintaining large-scale server applications
- Proven record of finding and fixing software vulnerabilities
- Expert knowledge developing and debugging in Linux (LAMP) environments
- Excellent knowledge of PHP
- Experience with Linux system administration and automation using shell scripting (bash, ZSH, etc.)
- Excellent verbal and written communication skills
And it would be even more awesome if you have this:
- Experience working on a large, mature open source project
- Experience as a contributor in the Wikipedia or Wikimedia project communities
- Experience with traditional information security concepts, including host- and network-based intrusion detection/prevention, host- and network-based firewalls, and application segmentation
- Experience with mobile application security for iOS and Android platforms
- Experience with PCI DSS audit and compliance more generally
- Experience managing an external security audit
- Experience with static analysis tools such as Veracode, pfff, PHP-sat and PHP_CodeSniffer
- Experience with C/C++ debugging using open source tools like gdb and Valgrind a major plus
- Experience with operating system internals, filesystems, programming language design, compilers, distributed systems, or server architectures
Please provide URLs to any existing free software work you may have done (your own software or patches to other packages) if possible – we'd love to see what you can do!
About the Wikimedia Foundation
The Wikimedia Foundation is the non-profit organization that operates Wikipedia, the free encyclopedia. Wikimedia projects receive more than 500 million page views per day  and reach more than 700 million unique devices monthly. Wikipedia, the largest project the Wikimedia foundation hosts, contains more than 40 million articles  in 238 languages  contributed by more than 70,000 Active Wikipedians .
Benefits & Perks *
- Fully paid medical, dental, and vision coverage for employees and their eligible families (yes, fully paid premiums!)
- The Wellness Program provides reimbursement for mind, body, and soul activities such as fitness memberships, massages, cooking classes, and much more
- The 401(k) retirement plan offers matched contributions at 4% of annual salary
- Flexible and generous time off - vacation, sick, and volunteer days
- Pre-tax savings plans for health care, child care, elder care, public transportation, and parking expenses
- For those emergency moments - long and short term disability, life insurance (2x salary), and an employee assistance program
- Telecommuting and flexible work schedules available
- Appropriate fuel for thinking and coding (aka, a pantry full of treats) and monthly massages to help staff relax
- Great colleagues - international staff speaking dozens of languages from around the world, fantastic intellectual discourse, mission-driven, and intensely passionate people
* for benefits eligible staff, benefits may vary by location