Wikimedia Security Team/Roadmap

This documents the planned activities of the Security Team, based on the anticipated funding under the FY16-17 Annual Plan. These plans are subject to change based on funding, ability to hire, and prioritization changes.

= Roadmap = The Security Team has existed since April 2015, and was given the mandate of, “Making life hard for the people who want to do harm to our sites or the people that use them.” The work encompasses driving, and often directly implementing, security programs across the diverse WMF technology and product teams, as well as closely collaborating on security and privacy issues with non-engineering teams. The Security Team also works with the Wikimedia community to address security and privacy issues on our sites.

Application Security
During the 2016-17 fiscal year, the team will continue to improve security throughout the development process by providing:
 * training to development teams so all developers know how to write secure code; secure design and architecture reviews for projects
 * security reviews for teams prior to deploying new features
 * periodic review by WMF staff and other security professionals of code to identify vulnerabilities
 * static, dynamic, and manual security testing for deployed software
 * triage for reported security bugs, and assistance to teams addressing them
 * security updates for 3rd-party users

Improving security in the life cycle of code produced by the WMF should reduce the number of exploitable vulnerabilities on WMF-run sites, preventing what could be a catastrophic loss of trust by our users in the event of a significant data breach. It also eliminates Denial of Service vectors, which if exploited, could prevent users from accessing our sites and prevent the foundation from achieving its mission.

Additionally, the Security Team will periodically implement specific security features to either remove a class of vulnerabilities, or make the likelihood of a specific vulnerability less likely. During the 2015-16 fiscal year, the team implemented authentication improvements for wikis accounts (password policies for privileged groups and two-factor authentication), and began work on implementing CSP headers and segmenting password hashes into a backend authentication service.

Training- We need to keep giving PCI training twice per year, as well as giving in-person training for WMF staff and community members. During the next fiscal year, the Security Team should give approximately 2 trainings / quarter.

Security and privacy design reviews- During 2015-16, the team had average of 19 review requests / quarter. Community Engagement has estimated that they will request another 15 reviews / year, so the team should anticipate about 23 reviews / quarter. Each review consists of a design review and final code review. When fully staffed in the 2016-17 fiscal year, the team should have 3 positions (2 engineers and the director) who can share the responsibility for these reviews.

Automated scanning- The team should continue to maintain automated dynamic and static security scanning of mediawiki. In addition to ensuring that the scans are running, and identified issues are triaged, tracked, and fixed, the team should continually update and tune the scans to make sure that new vulnerabilities in scanned features are correctly identified so that a regression or the same flaw in another feature is automatically identified. The Security Team also performs automated vulnerability scanning of fundraising systems to fulfill PCI’s 11.2.3 requirement. The responsibility for these scans will be shared by the security engineers and security analyst.

Security bugs- The team will continue to triage reported security issues, confirming the issue, assigning a priority and flagging issues for an appropriate team if possible. In many cases, the team will develop, review, and deploy a patch to fix the issue themselves (although it may be beneficial for the team to track and set as a goal the percentage of security bugs fixed by the team, with the goal of seeing the measurement decrease each year). When fully staffed, the Security Team should see more reported security issues closed each month versus those opened, so the total number of open security issues decreases. The team has also allocated some consulting budget to more quickly address the existing backlog of issues.

Periodic review- Members of the team will often find vulnerabilities themselves, but they should also ensure that WMF software is evaluated by other people frequently. During the 2014-15 year, MediaWiki was assessed by iSEC Partners, a consulting group. The Security Team might consider running a bug bounty program in the future.

Privacy
With the creation and funding of the Privacy Roadmap, and in lieu of having a CPO with a dedicated team, the Security Team has taken on much of the technical work contained in the roadmap. This has involved drafting data access guidelines to govern engineering teams, and preliminary work on data mapping. The Security Team regularly reviews data sets prior to release to assess their privacy impact.

During the 2016-17 fiscal year, the Security Team is planning to,
 * Complete and maintain the data mapping project for product (Q1) and technology (Q2-4) teams, tracking repositories of private data, security controls around the data, and their compliance with our privacy policy.
 * Privacy by Design - the Security Team will support implementing PbD across product and technology teams. (Q3)
 * Security audit - the Security Team will coordinate a followup organizational penetration test in Q3. The audit may also include more components of the cluster next year, in coordination with the Tech Ops team.
 * Finish programs necessary for PCI SAQ A-EP compliance, in coordination with Fundraising Tech. (Q2-3)
 * Work with OIT to ensure protection of critical staff devices.

Security coordination
The Security Team also works with other teams on security and privacy impacting projects across the WMF.
 * Operations - The Security team coordinates with Tech Ops teams to ensure gaps are being addressed, and priorities are appropriately set.
 * Safety - The Security Team coordinates with the community Safety team, to ensure tooling to identify malicious users are working correctly, while staying compliant with our privacy policies. The Security Team will also dedicate some resources to addressing some longstanding issues in anti-spam tools (Q3).
 * Legal - In addition to the dedicated work on privacy, the Security Team closely coordinates with the legal team on many incidents. The Security Team also helps the legal team establish trusted encryption keys, so they can exchange secure emails.
 * OIT - Without strong operational security discipline, the WMF infrastructure can easily be compromised through legitimate access granted to staff members. The Security Team periodically coordinates with Office IT to address specific threats, and provide security training for staff.

= Timeline =

July-Sept

 * Hiring
 * Secure Code training
 * PCI/OWASP training (Sept)
 * Finish data mapping for product
 * Continue static, dynamic, and vulnerability scanning
 * Security reviews as needed
 * Triage security bugs, plan security releases, as needed
 * Continue two-factor auth pilot?
 * Continue work on Authentication Service?

Oct-Dec

 * Hiring
 * Secure Code training; Organizational security / Phishing training?
 * Start data mapping for technology teams
 * Continue PCI completion work

Jan-March

 * Secure Code training
 * PCI/OWASP training (Sept)
 * Finish PCI work
 * Privacy by Design implementation
 * Followup organizational security audit
 * Continue data mapping for technology teams
 * Begin implementing a consistent data retention, storage, and deletion process
 * Anti-spam tools
 * Improve intrusion detection and response capabilities

April-June

 * Secure Code training
 * Finish data mapping for technology teams
 * Privacy by Design implementation
 * Improve protection of staff devices