Security/SOP/Application Security Reviews

= IT Standard Operating Procedure - Security Readiness Reviews =

REVIEW PROCEDURE PURPOSE SCOPE ROLES AND RESPONSIBILITY KEYWORDS AND DEFINITIONS PROCESS Concept review (optional) Design review

REVIEW PROCESS


 * 1) At least 30 days prior to the estimated deployment date, the requester creates a Phabricator Task using the Security Readiness Review request form.
 * 2) Weekly, the Security Coordinator reviews Requests.
 * 3) The Security Readiness Review request MUST include the following information (as templated within the request form):
 * 4) Name of tool/project
 * 5) Description of the tool/project
 * 6) Description of how the tool will be used at WMF
 * 7) Name of individual/group requesting review and primary contact
 * 8) Name of individual/group responsible for tool/project after deployment and primary contact
 * 9) Target date for deployment (or approximate date deployed if already in production or labs)
 * 10) Information from any review of the tool that has already been conducted
 * 11) Working test environment
 * 12) Programming language(s) used
 * 13) Source code repository location
 * 14) Upstream project home page (if applicable)
 * 15) WMF project home page (if applicable)
 * 16) Related Phabricator tickets
 * 17) Related patch set(s)
 * 18) Security Coordinator checks that the task is at least 30 days prior to deployment date or declines the Task.
 * 19) Security Coordinator checks that Task has ALL required information or holds the Task for 3 days awaiting information.
 * 20) If the task meets the requirements within items (4) and (5), then the Security Coordinator approves the Task, assigns it to a Security Team Engineer and places the the task within the “In Progress” queue.
 * 21) See the #Security-Teams Readiness Reviews workboard for currently planned reviews.
 * 22) The “In Progress” queue reflects all active Security Readiness Reviews.  These tasks typically have target completion dates of two to four weeks.
 * 23) A Security Team Engineer will review the task and if approved, will comment on the task and update the task as resolved, if neccessary.
 * 24) If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please ([mailto:security-team@wikimedia.org contact the Security Team]) as soon as possible.
 * 25) If your task is reviewed by the Security Team Engineer and requires action on your part, the task will be placed in the Waiting on Response/Mitigation queue.  The task may reside there for no more than 30 days.
 * 26) If the Security Team Engineer has not received a response within 30 days for the above, the task will be moved to the Frozen column.
 * 27) Tasks that have been on the Frozen column for more than 180 days will be removed from the Security-Team-Reviews project.



TROUBLESHOOTING PROCEDURES CHECKLISTS ESCALATIONS SIGNATURES Security