Security/SOP/Security Preview

Review Required by: 7 January 2021 Revised on: 5 March 2020

Purpose
When planning a new initiative (Project, Program, or Product) you can consult with the Security Team. Although Security Preview's are optional, performing one allows issues to be identified early in the planning lifecycle. Beginning with a Security Preview allows for continuity through an initiatives engagements with the Security Team, where future services are tied back to a single RFS from this point forward.

Security Previews can be difficult to scope, and may involve some ambiguity by nature. It is expected initiatives submitted for even early engagement are mature in the following ways:


 * Have resourcing
 * Have committed stakeholders
 * Have a project plan
 * Have documentation
 * Are scoped for start of work and end of work expectations

It is the intention of the Security Team to provide valuable, timely, and best practice guidance. Initiatives of large scope may require specialized approaches or long lead times to ensure effective collaboration.

Work product this may be relevant for:
 * A team wants to use AWS Mechanical Turk and desires the Security Team's input on a documented and specific plan of action.
 * A team wants to use a third party products key management solution and needs assistance understanding the implications of the technologies in use for privacy and confidentiality
 * A new Mediawiki extension is being planned that would allow users to include 's in wiki pages in order to embed content from other sites. (We would surface this as inappropriate for Wikimedia as it leaks user IP addresses to a third parties in violation of our Privacy Policy.)

Work product this is not relevant for:
 * Reviewing code repositories prior to deployment. That would be a Security Readiness Review
 * Access requests to protected Phabricator tasks or NDA protected content

If you are unsure, security-help@ is available for guidance.

Process

 * 1) Create a Security Request for Service within Phabricator.
 * 2) Security Team members will review requests as part of our public commitment
 * 3) Our triage dashboard will reflect pending requests
 * 4) The In Progress column reflects all active work.

Towards the conclusion of a Security Preview, the Security Team will work to ensure that you understand what sufficient controls should be in place to address specific threats based upon your architecture. The Security Team may also suggest additional ways to reduce the attack surface or provide other guidance as it is appropriate.

If a task has already been created within Phabricator as a placeholder for a review, we ask that you provide the information from the aforementioned Phabricator form on said task. Review requests which are missing requested information may be delayed or declined.

Expectations
Required Information (The form prompts for all this)

= Basic Information =

Primary Contacts
- `@phabname` is appropriate here. //Two// contacts are requested.

Brief description
- Reason for request. This is an outline of the intention and purpose for the project.

Do you have a project/product/program plan or documentation?
- Please link to existing documentation such as the project homepage. - Documents can be attached to this task if needed.

What Security Team services do you anticipate needing?
- https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services - https://phabricator.wikimedia.org/project/subprojects/4420/

> set services from above / all of the above / I don’t know (Perfectly fine)

What is the 'go live' date for this project
> 3 months / 6 months / 1 year

= Technical Information =

Will any sensitive data to be collected, stored or exposed?
- https://foundation.wikimedia.org/wiki/Privacy_policy - Examples: `PII, credit cards, UA/IP, credentials`

Do related discussions exist in Phab, on wiki, or in an RFC'?
- https://www.mediawiki.org/wiki/Requests_for_comment

- Please link to existing tasks or discussions

Technology Stack
- Please list all relevant languages, platforms, hardware, etc.

- Please list all known internal and external dependencies, including hosting providers

If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please (contact the Security Team) as soon as possible.