Security/SOP/Security Preview

Review Required by: 7 January 2021

Purpose
When considering a new initiative you can consult with the Security_Team during the conceptual/planning phase. Although concept reviews are optional, performing one allows issues to be identified early in the planning lifecycle.

Conceptual reviews can be difficult to scope, and encompass changing conditions by nature. It is the intention of the Security Team to provide valuable, timely, and best practice guidance. Initiatives of large scope may require specialized approaches or long lead times to ensure effective collaboration. It is a best practice to involve the Security Team early.

Work product this may be relevant for:
 * A team wants to use AWS Mechanical Turk and desires the Security Team's input on the plan
 * A team wants to use a third party products key management solution and needs assistance understanding the implications for data leakage/confidentiality
 * An extension is being planned that would allow users to include 's in wiki pages, to embed content from other sites. (We would surface this is inappropriate for Wikimedia as it leaks user IP addresses to a third parties in violation of our Privacy Policy.)

Work product this is not relevant for:
 * Reviewing code repositories prior to deployment. That would be a Security Readiness Review
 * Access requests to protected Phabricator tasks or NDA protected content

If you are unsure it may be best to submit a general Request For Service

Process

 * 1) Create a Security Request for Service within Phabricator.
 * 2) Security Team members will triage requests weekly
 * 3) See the Incoming column of the  #Security-Team workboard  for current requests in need of triage
 * 4) The In Progress column reflects all active work.

Towards the conclusion of the concept review, the Security Team will work to ensure that you understand what sufficient controls should be in place to address specific threats based upon your architecture. The Security Team may also suggest additional ways to reduce the attack surface for your initiative.

If a task has already been created within Phabricator as a placeholder for a review, we ask that you provide the information from the aforementioned Phabricator form on said task. Review requests which are missing requested information may be delayed or declined.

Expectations
Because this service line deals with half-formed ideas, concepts, and planning there are minimum requirements for making progress in such conditions.

Required Information (The form prompts for all this)

= Basic Information =

Primary Contacts
- `@phabname` is appropriate here. //Two// contacts are requested.

Brief description
- Reason for request. This is an outline of the intention and purpose for the project.

Do you have a project/product/program plan or documentation?
- Please link to existing documentation such as the project homepage. - Documents can be attached to this task if needed.

What Security Team services do you anticipate needing?
- https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services - https://phabricator.wikimedia.org/project/subprojects/4420/

> set services from above / all of the above / I don’t know (Perfectly fine)

What is the 'go live' date for this project
> 3 months / 6 months / 1 year

= Technical Information =

Will any sensitive data to be collected, stored or exposed?
- https://foundation.wikimedia.org/wiki/Privacy_policy - Examples: `PII, credit cards, UA/IP, credentials`

Do related discussions exist in Phab, on wiki, or in an RFC'?
- https://www.mediawiki.org/wiki/Requests_for_comment

- Please link to existing tasks or discussions

Technology Stack
- Please list all relevant languages, platforms, hardware, etc.

- Please list all known internal and external dependencies, including hosting providers

If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please (contact the Security Team) as soon as possible.