Senior Security Engineer
Remote, 4 hour time zone overlap with New York City
Freedom of the Press FoundationFreedom of the Press Foundation protects and defends adversarial journalism in the 21st century.
Freedom of the Press Foundation (FPF), a nonprofit organization dedicated to protecting, defending and empowering public-interest journalism, is looking for a full-time Senior Security Engineer to join our infrastructure team.
The infra team manages the IT systems and services that make our work possible, and we help integrate security principles and best practices into the software development lifecycle across other engineering teams at FPF (Web, Dangerzone, and SecureDrop).
We support other engineering teams by providing CI/CD tooling, build/signing/release infrastructure and processes, vulnerability management, and incident response. In partnership with our colleagues across teams who work directly with journalists and newsrooms, we monitor the external security landscape and respond to emerging threats.
Given the nature of FPF’s work, much of which has a security focus, there is a lot of opportunity for knowledge sharing, training, and proactive threat modeling/mitigation. In your first three months, your projects could include:
- Perform a review of a core FPF system in partnership with other members of the infrastructure team
- Work with software development teams on standardizing tools used for vulnerability management
- Complete a threat model exercise with one of FPF’s software development teams
This is a remote position requiring at least 4 hours of time zone overlap with New York. Candidates in New York have the option of working from our Brooklyn office.
About our stack: FPF uses a Kubernetes cluster on GCP/GKE for continuous deployment of our websites. We rely on GitHub for source control and project management, and deploy smaller systems and services to VPS infrastructure managed via Ansible and Terraform where tighter control over our exposure and attack surface is required. For certain use cases, we occasionally deploy self-hosted infrastructure or use bare metal providers. Most code we write is in Python, but we've started to incorporate Rust into our tooling as well.
Your responsibilities include:
- Review, integrate and standardize security automation tooling such as static code analysers, vulnerability checkers, and other tools that can mitigate or discover security issues
- Stay informed about new security vulnerabilities and proactively engage with internal teams to respond appropriately
- Manage third party audits, penetration tests, tabletop exercises and software security trainings
- Organize project-level threat modeling exercises and support each team in updating and maintaining its threat model
- Partner with engineering teams on security reviews of complex changes
- Respond to security incidents and administer our bug bounty programs
- Partner with our Digital Security team in championing security engineering culture and best practices internally and externally
- Provide guidance and mentorship to colleagues, to deepen understanding of security engineering best practices
- Partner with the CISO and the IT Engineer on internal security policies, monitoring of the external threat landscape, and change management
- At least 5 years experience designing or auditing secure systems (threat modeling, penetration testing, security assessments, protocol design, cryptography, etc.)
- Passion for building free software to solve real world problems
- Strong knowledge of Linux systems and scripting languages, especially Python
- Strong knowledge of software development lifecycle, including vulnerability management, release engineering, and defending against supply chain attacks
Great to have
Familiarity with one or more of the following is a plus. You don’t need to know everything, and we don’t know everything. We have a lot of varied projects that you could potentially contribute to and have fun with, which include:
- Secure operating systems (e.g.: Qubes, Tails)
- Using or developing security monitoring tools (e.g., intrusion detection systems, file integrity monitoring, malware analysis)
- Application development experience
- Experience developing, integrating or reviewing cryptographic libraries
- Incident response
- Red teaming
- Rust experience
- Working on Scrum/Agile teams
- Contributing to or managing open source projects
If you’re interested in our work, but don’t fit the above description, please reach out anyway. We like to work with smart, caring people, and a quick call might help us understand what you’ve got to offer.
Working with us
FPF is a small 30-person nonprofit. Together, our work encompasses the development of privacy and security tools, training newsrooms on digital security practices, documentation of attacks on the press, and advocating for the public’s right to know.
The Infra team is a distributed 5-person team with collective expertise in devops, cloud technologies, network security, IT, and programming. We use a lightweight Kanban-style methodology to prioritize, coordinate, and track our work. There is no on-call schedule. Team members take offset time as needed if they do work in excess of their normal working hours.
We try our best to maintain a healthy, sustainable work environment by offering or asking for support during incident response or other time-sensitive matters. While we have a culture of security, we also value autonomy, place a lot of trust in each other, and have at least one person on the team who will inundate you with memes!
This is a full-time role with a competitive nonprofit salary in the range of $125,000 to $140,000, depending on experience and location. This position reports to FPF’s Engineering Manager for Infrastructure.
FPF provides health, dental and vision insurance (via Aetna); 20 days of personal time off, in addition to all federal holidays and the week between Christmas and New Year’s; paid parental leave and a generous 401(k) program. Freedom of the Press Foundation matches your 401(k) contributions dollar for dollar, up to 4 percent of your gross salary.
FPF seeks to foster a culture of continuous learning, both at an individual and organizational level. To that end, team members can spend 4 hours per week on self-directed learning, and each team member has an allocated stipend for professional development.
To mitigate against overwork, exhaustion and “crunch time”, our policies also include flexible work schedules, autonomous rebalancing of hours worked, and dedicated learning time to support self-directed professional development.
FPF is strongly committed to creating a diverse and inclusive community. We warmly welcome members of traditionally underrepresented communities to apply, including people of color, LGBTQ+ folks and people with disabilities.
FPF does not discriminate on the basis of an individual’s sex, age, race, color, creed, national origin, alienage, religion, marital status, pregnancy, sexual or reproductive health decisions, sexual orientation or affectional preference, gender identity and expression, disability, genetic trait or predisposition, carrier status, citizenship, veteran or military status and other personal characteristics protected by law.
How we hire
We are aiming to fill this position in 2023. When we have a sufficiently strong and diverse applicant pool, we may de-list this role from our website, so please don't hesitate to apply. If you'd like to have an exploratory conversation before applying, please contact us at firstname.lastname@example.org.
Candidates will have an initial intake call, then meet with a hiring panel and a technical interviewer. Finalists will also speak with our Executive Director and our VP of Engineering. This hiring process does not involve a take-home assignment; we will send you preparatory information before the technical interview.
Tags: Agile Ansible Audits Automation CI/CD Cloud Cryptography DevOps GCP GitHub Incident response Intrusion detection Kanban Kubernetes Linux Malware Monitoring Network security Nonprofit Open Source Pentesting Privacy Python Red team Rust Scripting Scrum Security assessment Terraform Vulnerabilities Vulnerability management
More jobs like this
Remote, Texas, United States Remote, Texas, United States Full TimeSenior Senior-levelUSD 192K - 264K USD 192K+
Palo Alto Networks
Cortex Systems Engineer, SecOps Platform - North AmericaAnalytics Automation EDR Python Scripting SecOps +3
Career development Competitive pay Medical leave Salary bonus
San Francisco, CA; Chicago, … San Francisco, CA; Chicago, IL; United States Full TimeSenior Senior-levelUSD 167K - 232K USD 167K+
Senior Application Security EngineerAgile Application security AWS Banking FinTech Golang +11
401(k) matching Career development Competitive pay Conferences Equity +4
Remote - United States Remote - United States Full TimeSenior Senior-levelUSD 104K - 276K USD 104K+
Senior Manager, Product Security EngineeringApplication security GitHub Incident response Open Source Product security PSIRT +3
Career development Competitive pay Salary bonus Startup environment Team events
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Analyste CERT / Incident Responder junior (H/F) jobs
- Open SOC Analyst jobs
- Open Senior Cybersecurity Engineer jobs
- Open Analyste CERT / Incident Responder senior (H/F) jobs
- Open Electronic Warfare Advanced Tactical Trainer jobs
- Open IT Security Analyst jobs
- Open Information Security Officer jobs
- Open Senior Information Security Engineer jobs
- Open Consultant SOC / CERT H/F jobs
- Open Cyber Security Specialist jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Security Operations Engineer jobs
- Open Staff Product Security Engineer jobs
- Open Senior SOC Analyst jobs
- Open Product Security Engineer jobs
- Open Staff Security Engineer jobs
- Open Staff Information Security Engineer jobs
- Open o365 Security Architect jobs
- Open Infosec Risk Manager jobs
- Open Cybersecurity Consultant jobs
- Open Chief Information Security Officer jobs
- Open Fortinet Firewall Engineer jobs
- Open Cyber Security Architect jobs
- Open Ingénieur DevSecops H/F jobs
- Open Application security-related jobs
- Open Risk assessment-related jobs
- Open Network security-related jobs
- Open SaaS-related jobs
- Open Governance-related jobs
- Open Pentesting-related jobs
- Open Java-related jobs
- Open Analytics-related jobs
- Open ISO 27001-related jobs
- Open Clearance-related jobs
- Open Vulnerability management-related jobs
- Open CISM-related jobs
- Open Security assessment-related jobs
- Open DevOps-related jobs
- Open APIs-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open Malware-related jobs
- Open Splunk-related jobs
- Open Kubernetes-related jobs
- Open CISA-related jobs
- Open DevSecOps-related jobs
- Open Terraform-related jobs
- Open IDS-related jobs
- Open GDPR-related jobs