WordPress Security Analyst

As a WordPress Security Analyst, you're responsible for Making Stuff Secure. You will work directly with our product teams to secure networks, applications and data inside a fast-paced organization with numerous high traffic systems and large scale products in a multi-cloud environment.

In this role, you will be involved in the full security lifecycle from design, maintenance, implementation, monitoring, detection, incident response and remediation, post-mortem analysis and research. You'll help manage relationships with outside security vendors that we employ and ecosystem partners that we work with, as well as contribute to the security of OSS systems that our products rely on, including WordPress Core. This exciting and rewarding role plays a critical part in protecting tens of millions of websites worldwide and giving back to the greater WordPress & OSS communities we built upon.

💡 Interested in applying?

🔍 Please read/follow the next steps outlined in "How to Apply" at the bottom of this listing.

Attention to detail is one of our core values! This is your chance to stand out :)

To love this role, here’s the type of person you are:

• You’re a self-starter who loves taking initiative and seeing things through from conception to completion.
• You're an excellent communicator, fluent in both verbal and written English, who makes sure nothing slips through the cracks. We believe communication is critical and there is no such thing as over communicating or asking for help when needed.
• You have the curiosity and desire to learn and grow your skills.
• You're a team player who is comfortable working along side and helping developers, and you don't take critical feedback personally.
• You're comfortable advising and implementing remediation fixes, including writing PHP and JavaScript.
• You're happy working on tasks of all sizes - from quick code snippet reviews to auditing large features/rewrites.
  

Common responsibilities include (but are not limited to):

• Reviewing and testing existing plugin, website and API code, from planning through execution, and remediation as necessary
• Handle communication with ecosystem partners for inbound and outbound security disclosures
• Coordinating external security reviews
• Advise and in cases, help implement, security remediation fixes for code (which may involve you writing PHP and/or Javascript)
• Advising product developers on security best practices
• Performing application penetration testing, plugin code static and dynamic analysis
• Providing feedback and peer review for developers (Github PRs).
• Communicating with the team and supporting your peers using chat, audio, and video.
• Assist with network administration and security, onboarding & offboarding contractors/employees, maintaining operations and security documentation.

Requirements

• Previous experience with security testing, vulnerability research/finding and/or plugin code auditing.
• Professional experience with WordPress plugin development, architecture, and standards.
• Good understanding of PHP including modern PHP practices (OOP, autoloading, namespacing, traits, interfaces, etc), MySQL and JavaScript (vanilla JS, jQuery, ES6, etc), as well as WordPress/PHP sanitization, validation and escaping functions.
• Thorough understanding of regex expressions.
• Competent with version control through git, SVN and GitHub.
• Must be familiar with industry standards like OWASP Top 10 and CVSS scoring systems
  
• Exceptional troubleshooting skills.
• Ability to keep complex ideas and features simple. (Simplicity is a core value!)
• Previous freelance or remote work experience.
• Personal Computer with Internet Access
• A minimum daily EST overlap

Bonus points if you also have:

• Experience working on a WordPress or adjacent PHP and/or JavaScript security group, such as the WordPress Core Security Team
• Amazon Web Services (AWS) and/or Google Cloud and/or DigitalOcean infrastructure architecture, design and implementation, particularly in the areas of VPCs, Security Groups, Network ACLs, CloudFormation and EC2 (or platform equivalents on Google Cloud and/or DigitalOcean) and experience using the AWS (and/or alternative Cloud Provider) CLI
• Experience with database types beyond MySQL and MariaDB such as MySQL-compatible databases like AWS Aurora or Vitess or non-MySQL-compatible ones like Elasticsearch, MongoDB, DocumentDB, PostgreSQL or Redis.
• Experience with the PHP frameworks Laravel and/or Slim Framework
• Advanced proficiency in the JavaScript frameworks VueJS and/or React.
• Experience with e-commerce platforms or related APIs (Easy Digital Downloads, WooCommerce, Stripe, PayPal, etc).
• Implementation and ongoing tuning of Wazuh or similar platforms
• Experience with Nessus or similar tools
• Experience with Python
• Experience with PCI compliance principals as well as the NIST Cybersecurity framework
• Relevant certifications (OSWE, OSCP, CISSP, AWS Certified Solutions Architect (Associate or Professional), AWS Certified Security Specialist, etc)

Benefits

Working for a fast-growing bootstrapped company is a rare opportunity, one we consider a lifestyle choice rather than a job choice. Our positions are challenging, but also come with amazing advantages and fulfillment to those who earn them. Here’s what we offer.

• Competitive Salary.
• Health, Dental and Vision Insurance benefits for full-time U.S. employees.
• Health Insurance benefits for all employees in India, Pakistan, Brazil, and Ukraine.
• Work from your home. We’re spread out all over the world – United States, Canada, Ukraine, India, Pakistan, Singapore and more.
• Unlimited PTO after 90 days of employment. We encourage employees to take the time they need for vacation, to stay healthy, and to spend time with friends and family.
• Paid maternity and paternity leave.
• We happily provide or reimburse software you’ll need as well as books or courses that promote continued learning.
• We give you the opportunity to solve challenging and meaningful problems that make a difference.
• Custom Branded laptop at your five year anniversary.
• We cover all costs of company travel (including our annual all-company retreat and mini-team meetups).
• Ability to work with some of the best people in the business through frequent, if not daily, interactions.
• And in case you were wondering: no politics, no b.s., and no jerks.

Location

This is a remote position - our team is spread around the globe! Our home base is in Florida, USA, so company operating hours are 9am - 5pm ET (UTC -5). While full coverage is not a requirement, you must be available during a portion of the day.

Inclusion Statement

At Awesome Motive, we strive to have the broadest possible view of diversity, going beyond visible differences to include the background, experiences, skills, and perspectives that make each person unique. Awesome Motive is proud to be an equal opportunity workplace and is committed to equal employment opportunity regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity, Veteran status, or any other basis protected by federal, state, or local law.

How to apply?

If all of this sounds interesting, then please submit your application!

Please clearly include the following in your cover letter:

• Your experience with PHP and JavaScript particularly as it relates to it's use in WordPress plugins.
• Your background and history related to security analysis
• Tell us a bit about yourself and why you should be considered. Details about your experience, qualifications, personality, etc are very helpful.
• Profile links with code samples if you have written any (GitHub, GitLab, WordPress.org, etc).
• Other profile links if available (Your website, Twitter, LinkedIn, etc).

Also note, don't forget to proofread before submitting. Check spelling, capitalization, etc. This is your chance to make your application stand out :)

We won’t be able to individually respond to all applications, but if we feel you’re a strong match, someone will be in touch shortly. Qualified candidates will be asked to do a simple code challenge.

Thanks and we look forward to hearing from you!