Wikimedia Security Team/Goals 201516

= Context =

Strategy
WMF Strategy Preview

Specific things called out that effect the Security Team:
 * The WMF can become a thought-leader on Privacy
 * To "improve the core", there is emphasis on metrics for each department, specifically:
 * Score cards & KPIs
 * Outcome-based budgeting
 * Improved, clear success criteria for projects

2015 Call to Action
Strengthen Technology & Execution Focus on Community & Knowledge Experimentation & New Knowledge
 * We will define our commitments -- and deliver on-time and on-budget.
 * We will make our decisions based on data.
 * We will improve our process for community input and allocate dedicated technical resources to community requests.
 * We will update legacy architectures and deliver mobile-ready infrastructure and services to support structured data, user security, and a simplified user experience.
 * We will integrate across community engagement functions to improve communication and results.
 * We will create a central, multilingual hub for community support.
 * We will have a working plan to support emerging users and communities.
 * We will improve our measures of community health and content quality, and fund effective community and content initiatives.
 * We will integrate, consolidate, and pause or stop stalled initiatives.
 * We will create spaces for future community-led innovations and new knowledge creation.
 * We will facilitate and support new models and structures for knowledge curation.
 * We will strengthen partnerships with organizations that use or contribute free content, or are aligned with the WMF in the free-knowledge movement.

= Goals =

Q1 (July-Sept 2015)

 * 1) Automated dynamic scanning of MediaWiki in beta. This is an area where the WMF trails industry practice. In addition to finding flaws before malicious users do, integrating dynamic scanning (along with static analysis) into the development process should allow teams to take more ownership of the security of their code and ensure security is not a blocker for teams to "deliver on-time and on-budget". Additionally, dynamic scanning will give the Security Team quantitative measurements related to the security of code produced by different teams, which may be useful in identifying trends over time. During this quarter, we will:
 * Pick tool to implement
 * Configure weekly automated scanning from labs of beta (coordinated with RelEng)
 * Record baseline scan results for core and one extension


 * 1) Document and report initial metrics for security bug handling and the review process. The security team currently operates without defined KPI's. Since security bug handling is a core process for the team, we will define metrics that may measure the health of this process.

The team will also support other teams in the following initivies
 * 1) Support legal during rollout of email encryption initiative
 * 2) Support privacy for Analytics initiatives
 * 3) Security reviews and security fixes for QA/Engineering

Q2 (Oct-Dec 2015)

 * 1) Automated security static analysis of MediaWiki.
 * 2) Document and report initial metrics for security review process.

Q3 (Jan-Mar 2016)

 * 1) Coordinate external security review of MediaWiki.