Security/SOP/Security Preview

Review Required by: 7th January 2021

Purpose
When considering a new initiative you can consult with the Security_Team during the conceptual/planning phase. Although concept reviews are optional, performing one allows issues to be identified early in the planning lifecycle.

Conceptual reviews can be difficult to scope, and encompass changing conditions by nature. It is the intention of the Security Team to provide valuable, timely, and best practice guidance. Initiatives of large scope may require specialized approaches or long lead times to ensure effective collaboration. It is a best practice to involve the Security Team early.

Work product this may be relevant for:
 * A team wants to use AWS Mechanical Turk and desires the Security Team's input on the plan
 * A team wants to use a third party products key management solution and needs assistance understanding the implications for data leakage/confidentiality
 * An extension is being planned that would allow users to include 's in wiki pages, to embed content from other sites. (We would surface this is inappropriate for Wikimedia as it leaks user IP addresses to a third parties in violation of our Privacy Policy.)

Work product this is not relevant for:
 * Reviewing code repositories prior to deployment. That would be a Security Readiness Review
 * Access requests to protected Phabricator tasks or NDA protected content

If you are unsure it may be best to submit a general Request For Service

Process

 * 1) Create a Security Concept Review request within Phabricator.
 * 2) Security Team members will triage requests weekly
 * 3) See the 'Incoming' #Security-Concept-Review workboard column for current requests in need of triage
 * 4) The “In Progress” column reflects all active Security Concept Reviews.

Towards the conclusion of the concept review, the Security Team will work to ensure that you understand what sufficient controls should be in place to address specific threats based upon your architecture. The Security Team may also suggest additional ways to reduce the attack surface for your initiative.

If a task has already been created within Phabricator as a placeholder for a review, we ask that you provide the information from the aforementioned Phabricator form on said task. Review requests which are missing requested information may be delayed or declined.

Expectations
Because this service line deals with half-formed ideas, concepts, and planning there are minimum requirements for making progress in such conditions.

Required Information (The form prompts for all this)


 * Current name of project
 * Project home page
 * Team or individuals who are proposing (2 phab contacts are ideal)
 * Are there previous discussions in Phab for similar concepts or features?
 * Has any risk assessment (STRIDE, etc.) been performed?
 * Is there an existing RFC or has this been presented to the community?
 * Is this project expected to require its own privacy policy?
 * Will any sensitive data to be collected, stored or exposed (`PII, credit cards, UA/IP, credentials`)?
 * Description
 * Please be verbose and feel free to link/upload related documents or existing proof of concept code
 * Please list all known internal and external dependencies, including hosting providers
 * Technologies stack
 * Please list all relevant languages, platforms, hardware, etc.

If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please (contact the Security Team) as soon as possible.