Senior Security Engineer

Freedom of the Press Foundation (FPF), a nonprofit organization dedicated to protecting, defending and empowering public-interest journalism, is looking for a full-time Senior Security Engineer to join our infrastructure team. 

The infra team manages the IT systems and services that make our work possible, and we help integrate security principles and best practices into the software development lifecycle across other engineering teams at FPF (Web, Dangerzone, and SecureDrop).

We support other engineering teams by providing CI/CD tooling, build/signing/release infrastructure and processes, vulnerability management, and incident response. In partnership with our colleagues across teams who work directly with journalists and newsrooms, we monitor the external security landscape and respond to emerging threats.

Given the nature of FPF’s work, much of which has a security focus, there is a lot of opportunity for knowledge sharing, training, and proactive threat modeling/mitigation. In your first three months, your projects could include:

• Perform a review of a core FPF system in partnership with other members of the infrastructure team
• Work with software development teams on standardizing tools used for vulnerability management
• Complete a threat model exercise with one of FPF’s software development teams

This is a remote position requiring at least 4 hours of time zone overlap with New York. Candidates in New York have the option of working from our Brooklyn office.

About our stack: FPF uses a Kubernetes cluster on GCP/GKE for continuous deployment of our websites. We rely on GitHub for source control and project management, and deploy smaller systems and services to VPS infrastructure managed via Ansible and Terraform where tighter control over our exposure and attack surface is required. For certain use cases, we occasionally deploy self-hosted infrastructure or use bare metal providers. Most code we write is in Python, but we've started to incorporate Rust into our tooling as well. 

Responsibilities

Your responsibilities include: 

• Review, integrate and standardize security automation tooling such as static code analysers, vulnerability checkers, and other tools that can mitigate or discover security issues
• Stay informed about new security vulnerabilities and proactively engage with internal teams to respond appropriately
• Manage third party audits, penetration tests, tabletop exercises and software security trainings
• Organize project-level threat modeling exercises and support each team in updating and maintaining its threat model
• Partner with engineering teams on security reviews of complex changes
• Respond to security incidents and administer our bug bounty programs
• Partner with our Digital Security team in championing security engineering culture and best practices internally and externally
• Provide guidance and mentorship to colleagues, to deepen understanding of security engineering best practices
• Partner with the CISO and the IT Engineer on internal security policies, monitoring of the external threat landscape, and change management

Requirements

• At least 5 years experience designing or auditing secure systems (threat modeling, penetration testing, security assessments, protocol design, cryptography, etc.)
• Passion for building free software to solve real world problems
• Strong knowledge of Linux systems and scripting languages, especially Python
• Strong knowledge of software development lifecycle, including vulnerability management, release engineering, and defending against supply chain attacks

Great to have

Familiarity with one or more of the following is a plus. You don’t need to know everything, and we don’t know everything. We have a lot of varied projects that you could potentially contribute to and have fun with, which include:

• Secure operating systems (e.g.: Qubes, Tails)
• Using or developing security monitoring tools (e.g., intrusion detection systems, file integrity monitoring, malware analysis)
• Application development experience
• Experience developing, integrating or reviewing cryptographic libraries
• Incident response
• Red teaming
• Rust experience
• Working on Scrum/Agile teams
• Contributing to or managing open source projects

If you’re interested in our work, but don’t fit the above description, please reach out anyway. We like to work with smart, caring people, and a quick call might help us understand what you’ve got to offer. 

Working with us

FPF is a small 30-person nonprofit. Together, our work encompasses the development of privacy and security tools, training newsrooms on digital security practices, documentation of attacks on the press, and advocating for the public’s right to know. 

The Infra team is a distributed 5-person team with collective expertise in devops, cloud technologies, network security, IT, and programming. We use a lightweight Kanban-style methodology to prioritize, coordinate, and track our work. There is no on-call schedule. Team members take offset time as needed if they do work in excess of their normal working hours. 

We try our best to maintain a healthy, sustainable work environment by offering or asking for support during incident response or other time-sensitive matters. While we have a culture of security, we also value autonomy, place a lot of trust in each other, and have at least one person on the team who will inundate you with memes! 

This is a full-time role with a competitive nonprofit salary in the range of $125,000 to $140,000, depending on experience and location. This position reports to FPF’s Engineering Manager for Infrastructure.

FPF provides health, dental and vision insurance (via Aetna); 20 days of personal time off, in addition to all federal holidays and the week between Christmas and New Year’s; paid parental leave and a generous 401(k) program. Freedom of the Press Foundation matches your 401(k) contributions dollar for dollar, up to 4 percent of your gross salary.

FPF seeks to foster a culture of continuous learning, both at an individual and organizational level. To that end, team members can spend 4 hours per week on self-directed learning, and each team member has an allocated stipend for professional development. 

To mitigate against overwork, exhaustion and “crunch time”, our policies also include flexible work schedules, autonomous rebalancing of hours worked, and dedicated learning time to support self-directed professional development.

FPF is strongly committed to creating a diverse and inclusive community. We warmly welcome members of traditionally underrepresented communities to apply, including people of color, LGBTQ+ folks and people with disabilities.

FPF does not discriminate on the basis of an individual’s sex, age, race, color, creed, national origin, alienage, religion, marital status, pregnancy, sexual or reproductive health decisions, sexual orientation or affectional preference, gender identity and expression, disability, genetic trait or predisposition, carrier status, citizenship, veteran or military status and other personal characteristics protected by law.

How we hire

We are aiming to fill this position in 2023. When we have a sufficiently strong and diverse applicant pool, we may de-list this role from our website, so please don't hesitate to apply. If you'd like to have an exploratory conversation before applying, please contact us at jobs+seceng@freedom.press.

Candidates will have an initial intake call, then meet with a hiring panel and a technical interviewer. Finalists will also speak with our Executive Director and our VP of Engineering. This hiring process does not involve a take-home assignment; we will send you preparatory information before the technical interview.