Security/SOP/Security Preview

Review Required by: 7th January 2021

Purpose
When considering a new initiative you can consult with the Security Team during the conceptual/planning phase. Although concept reviews are optional, performing one allows issues to be identified early in the planning lifecycle.

Work product this may be relevant for:
 * A team wants to use AWS Mechanical Turk and desires the Security Team's input on the plan
 * A team wants to use a third party products key management solution and needs assistance understanding the implications for data leakage/confidentiality
 * An extension is being planned that would allow users to include 's in wiki pages, to embed content from other sites. (We would surface this is inappropriate for Wikimedia as it leaks user IP addresses to a third parties in violation of our Privacy Policy.)

Work product this is not relevant for:
 * Reviewing code repositories prior to deployment. That would be a Security Readiness Review
 * Access requests to protected Phabricator tasks or NDA protected content

If you are unsure it may be best to submit a general Request For Service

Process

 * 1) Create a Security Concept Review request within Phabricator.
 * 2) Security Team members will triage requests weekly
 * 3) See the 'Incoming' #Security-Concept-Review workboard column for current requests in need of triage
 * 4) The “In Progress” column reflects all active Security Concept Reviews.
 * 5) If your request is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Concept Review process, please (contact the Security Team) as soon as possible.

Towards the conclusion of the concept review, the Security Team will work to ensure that you understand what sufficient controls should be in place to address specific threats based upon your architecture. The Security Team may also suggest additional ways to reduce the attack surface for your initiative.

If a task has already been created within Phabricator as a placeholder for a review, we ask that you provide the information from the aforementioned Phabricator form on said task. Review requests which are missing requested information may be delayed or declined.

Expectations
Required Information (The task template prompts for all this)


 * 1) Name of project:
 * 2) Project home page:
 * 3) Name of team which owns the project:
 * 4) Primary contact for the project:
 * 5) Target date for deployment:
 * 6) Link to code repository:
 * 7) Is this a brand-new project:
 * 8) Has this project ever been reviewed before: (Phab tasks, etc.)
 * 9) Has any risk assessment (STRIDE, etc.) been performed:
 * 10) Is there an existing RFC or has this been presented to the community:
 * 11) Is this project tied to a team quarterly goal:
 * 12) Does this project require its own privacy policy:
 * 13) Description of the project and how it will be used
 * 14) Topology or flow diagrams outlining data flow
 * 15) Description of any sensitive data to be collected or exposed
 * 16) Technologies employed
 * 17) Dependencies and vendor code
 * 18) Working test environment (if one exists already)

If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please (contact the Security Team) as soon as possible.