Senior Security Engineer

Job Description

Freedom of the Press Foundation (FPF), a nonprofit organization dedicated to protecting, defending and empowering public-interest journalism, is looking for a full-time Senior Security Engineer to join the SecureDrop team.

SecureDrop is an open-source whistleblower submission system used by journalists to communicate with sources. SecureDrop is currently in use at approximately seventy news organizations worldwide, including The New York Times, The Washington Post, The Guardian, The Intercept, and ProPublica.

Responsibilities

As a Senior Security Engineer, you will help us continue to develop SecureDrop and the SecureDrop Workstation to make it more secure and usable for sources and journalists. Your responsibilities will include:

• Update SecureDrop’s threat models and the methodologies used to develop them: proactively identify risks, assess, propose mitigations and implement these mitigations
• Review and integrate security automation tooling such as static code analysers, vulnerability checkers, and other tools that can mitigate or discover security issues
• Perform code reviews for both internal and external software, and coordinate such reviews with other open source projects
• Manage third party audits, penetration tests, tabletop exercises and software security trainings
• Respond to security incidents and administer our bug bounty program
• Partner with our Digital Security team in championing security engineering culture and practices
• Provide guidance and mentorship to colleagues, to deepen understanding of application security

Requirements

• At least 3 years experience designing or attacking secure systems (threat modeling, penetration testing, security assessments, protocol design, cryptography, etc.)
• Passion for building free software to solve real world problems
• Strong knowledge of Linux systems and scripting languages, especially Python
• Strong knowledge of software development lifecycle, including vulnerability management, release engineering, and defending against supply chain attacks

Great to have

Familiarity with one or more of the following is a plus. This is a lot but we have a lot of varied projects that you could potentially contribute to!

• UX considerations in security engineering
• Secure operating systems (e.g.: Qubes, Tails)
• Using or developing security monitoring tools (e.g., intrusion detection systems, file integrity monitoring, malware analysis)
• Application development experience
• Experience developing, integrating or reviewing cryptographic libraries
• Incident response
• Rust or Go experience
• Working on Scrum/Agile teams
• Contributing to or managing open source projects

If you’re interested in our work, but don’t fit the above description, please reach out anyway. We like to work with smart, caring people, and a quick call might help us understand what you’ve got to offer.

Working with us

Freedom of the Press Foundation aims to tackle unusually hard—but interesting—security and usability problems. If you are passionate about making security tools more usable, participating in open-source development, empowering whistleblowers, or just like a challenge, we encourage you to get in touch.

The SecureDrop team is fully distributed. All candidates will be considered for remote work with occasional travel.

If you think you’d like to be a part of our team, please send a short cover letter, your GitHub username, and your resume with links to some samples of your work to <jobs+security@freedom.press>. Women, non-binary individuals, and BIPOC individuals are especially encouraged to apply.

This is a full-time role at a competitive non-profit salary. For US employees: FPF provides health, dental and vision insurance (via Aetna); 20 days of personal time off and 13 holidays; and a 401(k) program. Freedom of the Press Foundation matches your 401(k) contributions dollar for dollar, up to 4 percent of your gross salary.