Wikimedia Security Team/Security reviews

Review process
Before a security-critical feature, extension, service, or library is deployed by the WMF, it needs a security review by the security team. Additionally, third-party systems where confidential data is stored should have a security review as well.

Typically, WMF teams or individual mediawiki developers embarking on a new project should plan to have 2 or 3 checkins with the security team.

Concept review (optional)
When considering a new project, if there is any doubt that the feature might not be a good idea for security, or might negatively impact user privacy, you can optionally consult with the Security Team during the Concept phase of your project. Typically, and email description of your project, or a 30 minute meeting with a team member, is enough to identify any potentially serious issues.

Design review
Currently optional, but may become mandatory in the future.

When you have completed enough planning for your project to know broadly which systems will be involved, what data will be handled by your project, and what new services or endpoints users will interact with, then you should have a design review with the Security Team. This review is to ensure that you have controls in place to address specific threats, based on your architecture. During this review (or the optional Concept review), the Security Team can also suggest way to reduce the attack surface for your project, which will reduce the security requirements for your project.

Typically, this is a 60 minutes meeting between the technical or architectural leads for the project, and a member of the Security Team.

Security and privacy review, for deployment (mandatory)
Projects must have a "Security Review" task in Phabricator documenting that they have performed a security review, and addressed any blockers, before they can deploy a new extension or major feature.

This review will ensure that controls identified in the design review have been implemented. Additionally, the team will attempt to ensure that the project avoids common implementation flaws.

In the near future, the Security Team will also ensure that privacy impact documentation has been completed.

Expectations

 * All code should avoid the top 25 CWE's, and comply with the requirements of Security for developers/Architecture.
 * Libraries should encourage safe practices by the developers who use them, or clearly document when misuse can result in a security flaw.
 * Services should use a standard framework or service template.
 * External applications (services, or applications such as media conversion utilities) used by the code should not have known, open security issues. The application should be supported by a competent security program.
 * Privacy impact has been considered, and mitigated when appropriate.
 * For external application or libraries, a WMF team must be committed to being alerted about and fixing any security issues that are fixed by the upstream developers.

Requesting a review
To request a review, open a Phabricator task, and associate it with the Security-Reviews project. Include the following information, or [https://phabricator.wikimedia.org/maniphest/task/create/?projects=Security-Reviews&description=%3d%20%50%72%6f%6a%65%63%74%20%49%6e%66%6f%72%6d%61%74%69%6f%6e%0a%2a%20%4e%61%6d%65%20%6f%66%20%74%6f%6f%6c%2f%70%72%6f%6a%65%63%74%3a%0a%2a%20%50%72%6f%6a%65%63%74%20%68%6f%6d%65%20%70%61%67%65%3a%0a%2a%20%4e%61%6d%65%20%6f%66%20%74%65%61%6d%20%72%65%71%75%65%73%74%69%6e%67%20%72%65%76%69%65%77%3a%0a%2a%20%50%72%69%6d%61%72%79%20%63%6f%6e%74%61%63%74%3a%0a%2a%20%54%61%72%67%65%74%20%64%61%74%65%20%66%6f%72%20%64%65%70%6c%6f%79%6d%65%6e%74%3a%0a%2a%20%4c%69%6e%6b%20%74%6f%20%63%6f%64%65%20%72%65%70%6f%73%69%74%6f%72%79%20%2f%20%70%61%74%63%68%73%65%74%3a%0a%2a%20%50%72%6f%67%72%61%6d%6d%69%6e%67%20%4c%61%6e%67%75%61%67%65%28%73%29%20%55%73%65%64%3a%0a%0a%3d%3d%20%44%65%73%63%72%69%70%74%69%6f%6e%20%6f%66%20%74%68%65%20%74%6f%6f%6c%2f%70%72%6f%6a%65%63%74%0a%0a%3d%3d%20%44%65%73%63%72%69%70%74%69%6f%6e%20%6f%66%20%68%6f%77%20%74%68%65%20%74%6f%6f%6c%20%77%69%6c%6c%20%62%65%20%75%73%65%64%20%61%74%20%57%4d%46%0a%0a%3d%3d%20%44%65%70%65%6e%64%65%6e%63%69%65%73%0a%4c%69%73%74%20%64%65%70%65%6e%64%65%6e%63%69%65%73%2c%20%6f%72%20%75%70%73%74%72%65%61%6d%20%70%72%6f%6a%65%63%74%73%20%74%68%61%74%20%74%68%69%73%20%70%72%6f%6a%65%63%74%20%72%65%6c%69%65%73%20%6f%6e%0a%0a%3d%3d%20%48%61%73%20%74%68%69%73%20%70%72%6f%6a%65%63%74%20%62%65%65%6e%20%72%65%76%69%65%77%65%64%20%62%65%66%6f%72%65%3f%20%3d%3d%0a%2f%2f%70%6c%65%61%73%65%20%6c%69%6e%6b%20%74%6f%20%74%61%73%6b%73%20%6f%72%20%77%69%6b%69%20%70%61%67%65%73%20%6f%66%20%70%72%65%76%69%6f%75%73%20%72%65%76%69%65%77%73%2f%2f%0a%0a%3d%3d%20%57%6f%72%6b%69%6e%67%20%74%65%73%74%20%65%6e%76%69%72%6f%6e%6d%65%6e%74%20%3d%3d%0a%2f%2f%70%6c%65%61%73%65%20%6c%69%6e%6b%20%6f%72%20%64%65%73%63%72%69%62%65%20%73%65%74%75%70%20%70%72%6f%63%65%73%73%20%66%6f%72%20%73%65%74%74%69%6e%67%20%75%70%20%61%20%74%65%73%74%20%65%6e%76%69%72%6f%6e%6d%65%6e%74%2f%2f%0a%0a%3d%20%50%6f%73%74%2d%64%65%70%6c%6f%79%6d%65%6e%74%0a%2f%2f%6e%61%6d%65%20%6f%66%20%74%65%61%6d%20%72%65%73%70%6f%6e%73%69%62%6c%65%20%66%6f%72%20%74%6f%6f%6c%2f%70%72%6f%6a%65%63%74%20%61%66%74%65%72%20%64%65%70%6c%6f%79%6d%65%6e%74%20%61%6e%64%20%70%72%69%6d%61%72%79%20%63%6f%6e%74%61%63%74%2f%2f click here] to pre-load a review request template.

Review requests should include:
 * Name of tool/project
 * Description of the tool/project
 * Description of how the tool will be used at WMF
 * Name of individual/group requesting review and primary contact
 * Name of individual/group responsible for tool/project after deployment and primary contact
 * Target date for deployment (or approximate date deployed if already in production or labs)
 * Information from any review of the tool that has already been conducted
 * Working test environment
 * Programming language(s) used
 * Source code repository location
 * Upstream project home page (if applicable)
 * WMF project home page (if applicable)
 * Related phabricator tickets
 * Related patchset(s)