Wikimedia Foundation is hiring a

Director of Security

San Francisco, United States


The Wikimedia Foundation is looking for a Director of Security to ensure that rapid evolution of the Wikimedia software continues to preserve the security of the sites and the privacy of our users. We are looking for someone who is passionate about Wikimedia's mission to bring free knowledge to every person on the planet, and who will strive to help Wikimedia software developers learn to incorporate secure thinking into their development practice.

The Director of Security will join the other Engineering Directors at Wikimedia who support engineers and designers building features, products, and services used by hundreds of millions of people around the world. This is an opportunity to do good while improving the security, stability, scalability, and maintainability of one of the best known sites in the world.

YOU ARE ... a smart, experienced security professional that understands all aspects of security in a top web property. You have significant software security experience in large scale systems. You understand and enjoy running security operations. You know how to create and operate incident response systems. You have experience counseling engineering and non-engineering teams about the privacy and security implications of their projects and data releases, are familiar with the benefits and vulnerabilities of different anonymization techniques, and can swiftly and effectively manage security incidents. You understand the importance of testing and documentation, and common pitfalls in developing secure web applications. You know how to build software correctly and hold others to the same high standards. You understand the principles of open source software development and the importance of community building. You have experience with and enjoy building and mentoring security teams. You enjoy being part of a large, vibrant, passionate and involved community.

You will be leading a team responsible for ensuring the security and integrity of applications written in PHP, Python, JavaScript (Node.js) among others, using both relational and key-value data storage mechanisms.

This is a full-time role based in San Francisco, CA or remote. 

As a Director of Security, we’d like you to do these things:

  • Develop a threat model for the Wikimedia Foundation and all our projects and define the right security profile in collaboration with your peer group and our IT department.
  • Run day-to-day security operations for the Wikimedia Foundation, including our community-facing and enterprise systems.
  • Design incident response policies and execute incident response processes.
  • Design and deploy account and content abuse detection mechanisms.
  • Refine and improve access controls and audits.
  • Lead security and privacy incident handling and response.
  • Manage external security audits and pen tests and implement mitigation strategies to address discovered vulnerabilities.
  • Serve as a subject matter expert on application security, communicating its impact on security, risk, and compliance decisions.
  • Manage a team of up to six members, leading performance reviews, hiring, goal-setting, compensation planning, and career development.
  • Design and develop security-centric enhancements of Wikimedia systems.
  • Conduct security reviews of software designs and implementations.
  • Deploy security patches to Wikimedia websites.
  • Prepare periodic security releases of MediaWiki software.
  • Define and manage department budget.
  • Work with peer groups such as Legal, Office IT, Finance, Advancement and others  in the Foundation to define:
    • Strategies for addressing security and privacy concerns;
    • Initiatives to maintain security as related to software design, development, documentation, and release; and
    • Practices to ensure the privacy, security, and integrity of data throughout the collection, access, analysis, release, and retention processes.

We’d like you to have these skills:

  • CISPP certification is highly desirable
  • Bachelor’s degree and 12 yrs of related experience; or 8 yrs and a Master’s degree; or equivalent experience
  • 5+ years of leadership experience in the Internet industry
  • 5+ years of experience building web applications
  • 3+ years of experience managing a software or security engineering team with a minimum of 5 direct reports
  • Expert knowledge of common web application vulnerabilities (OWASP Top 10 / CWE Top 25)
  • Experience with threat modeling and risk assessment
  • Good understanding of privacy technologies, such as anonymization
  • Experience integrating secure development life cycle processes
  • Extensive experience building and maintaining large-scale server applications
  • Proven record of finding and fixing software vulnerabilities
  • Expert knowledge developing and debugging in Linux (LAMP) environments
  • Excellent knowledge of PHP
  • Experience with Linux system administration and automation using shell scripting (bash, ZSH, etc.)
  • Excellent verbal and written communication skills

And it would be even more awesome if you have this:

  • Experience working on a large, mature open source project
  • Experience as a contributor in the Wikipedia or Wikimedia project communities
  • Experience with traditional information security concepts, including host- and network-based intrusion detection/prevention, host- and network-based firewalls, and application segmentation
  • Experience with mobile application security for iOS and Android platforms
  • Experience with PCI DSS audit and compliance more generally
  • Experience managing an external security audit
  • Experience with static analysis tools such as Veracode, pfff, PHP-sat and PHP_CodeSniffer
  • Experience with C/C++ debugging using open source tools like gdb and Valgrind a major plus
  • Experience with operating system internals, filesystems, programming language design, compilers, distributed systems, or server architectures

Please provide URLs to any existing free software work you may have done (your own software or patches to other packages) if possible – we'd love to see what you can do!

About the Wikimedia Foundation

The Wikimedia Foundation is the non-profit organization that supports and hosts Wikipedia and several other Wikimedia free knowledge sites. Every month, the Wikimedia sites are accessed by more than a billion unique devices. Wikipedia consists of more than 40 million articles across hundreds of languages. Every month, more than 250,000 volunteer editors contribute to Wikipedia. Based in San Francisco, California, the Wikimedia Foundation is an audited, 501(c)(3) non-profit that is funded primarily through donations and grants. It currently employs over 300 staff members.

At the Foundation, we build technology to help people everywhere access Wikipedia, across devices and in nearly 300 languages. We engineer privacy for our readers and editors so they can safely and securely explore Wikipedia. We create programs and initiatives to make Wikipedia freely available to more people in more parts of the world. We build new tools for the community of editors so they can continue to improve and grow Wikipedia. Roughly a quarter of our budget goes to supporting the community that make the site possible, including through grantmaking programs that enable volunteers and enrich the information on the sites.

The Wikimedia Foundation is an equal opportunity employer, and we encourage people with a diverse range of backgrounds to apply.

Benefits & Perks *

  • Fully paid medical, dental and vision coverage for employees and their eligible families (yes, fully paid premiums!)
  • The Wellness Program provides reimbursement for mind, body and soul activities such as fitness memberships, baby sitting, continuing education and much more
  • The 401(k) retirement plan offers matched contributions at 4% of annual salary
  • Flexible and generous time off - vacation, sick and volunteer days, plus 19 paid holidays - including the last week of the year.
  • Family friendly! 100% paid new parent leave for seven weeks plus an additional five weeks for pregnancy, flexible options to phase back in after leave, fully equipped lactation room.
  • For those emergency moments - long and short term disability, life insurance (2x salary) and an employee assistance program
  • Pre-tax savings plans for health care, child care, elder care, public transportation and parking expenses
  • Telecommuting and flexible work schedules available
  • Appropriate fuel for thinking and coding (aka, a pantry full of treats) and monthly massages to help staff relax
  • Great colleagues - diverse staff and contractors speaking dozens of languages from around the world, fantastic intellectual discourse, mission-driven and intensely passionate people

* for benefits eligible staff, benefits may vary by location

More Information