Security/SOP/Application Security Reviews

Security Teams Readiness Review, for deployment (mandatory)

Projects must have a "Security Teams Readiness Review" task in Phabricator documenting that they have performed a security review, and addressed any blockers before they can deploy a new extension or major libraryfeature.

This Security Teams Readiness Review will ensure that controls identified in the design review have been implemented. Additionally, the Team will attempt to ensure that the project avoids common implementation flaws.

There are three possible results of this Security Teams Readiness Review:

1) No issues found, extension or library can be deployed (provided other requirements at Security Teams Readiness Review queue are met). (Example: phab:T148583)

2) Only minor issues found, or any major issues found are straightforward fixes. Extension or library can be deployed once the found issues are fixed. (Example: phab:T149808)

3) Major or complex security issues found. Once the identified issues are fixed, the extension or library will have to be re-reviewed. (Example: phab:T133408)

Expectations

All code should avoid the top 25 CWE's, and comply with the requirements of Security for developers/Architecture.

Libraries should encourage safe practices by the developers who use them, or clearly document when misuse can result in a security flaw.

Services should use a standard framework or service template.

External applications (services, or applications such as media conversion utilities) used by the code should not have known, open security issues. The application should be supported by a competent security program.

Privacy impact has been considered, and mitigated when appropriate.Do we still need this???

For external application or libraries, a WMF team must be committed to being alerted about and fixing any security issues that are fixed by the upstream developers.

The team developing the code has already reviewed it internally and believes it to be secure.

See also Wikimedia Security Team/Security Teams reviews/What we are looking for (Does this need to be updated????)

Requesting a Security Teams Readiness Review

Use the following link to open a Phabricator task to request a Security Teams Readiness Review:

Request a Security Teams Readiness Review

This will create a Phabricator task pre-populated with a template which you may fill in with information about your project.

Alternately, you may manually create a Phabricator task and associate it with the #Security-Teams Readiness Reviews project. However, it is greatly preferred that you use the template provided by the link above. Security Teams Readiness Review requests MUST  include:

Name of tool/project

Description of the tool/project

Description of how the tool will be used at WMF

Name of individual/group requesting review and primary contact

Name of individual/group responsible for tool/project after deployment and primary contact

Target date for deployment (or approximate date deployed if already in production or labs)

Information from any review of the tool that has already been conducted

Working test environment

Programming language(s) used

Source code repository location

Upstream project home page (if applicable)

WMF project home page (if applicable)

Related phabricator tickets

Related patchset(s)

Review schedule

Security Teams Readiness Reviews will be scheduled weekly. All Security Teams Readiness Review Requests MUST be submitted to the Security Team at least one (1) month prior to the Target Date for deployment or it will be delayed for submission for Security Teams Readiness Review.

See the #Security-Teams Readiness Reviews workboard for currently planned reviews. The “In Progress” queue reflects all active tasks. These tasks have target dates of two to four weeks. Once you have filed a Security Teams Readiness Review Request, the Coordinator of the Security Team will add it to the workboard.

If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please contact the Security Team (security-team@wikimedia.org) as soon as possible.

If your task is reviewed by the Engineer and then they require an action on your part, the task is placed in the Waiting on Response/Mitigation queue. The task may reside there no more than one month. If the Engineer has not received a response within 30 days, the task will be closed and moved to the Frozen column.

If Approved by the Engineer, it will be so noted in Phabricator, and you may proceed with deployment of the code.

Tasks that have been on the Frozen column more than 180 days will be Closed as ___________.

Category: Security