Wikimedia Security Team/Goals 2016-2017

= Goals =

All goals are in addition to training, reviews, security bug work, static and dynamic application scanning, and vulnerability scanning.

Q1 (July-Sept 2016)
1. Two-Factor usability improvements
 * Conduct surveying of user experience (may be completed Q4 2015-2016)
 * Implement changes based on analysis of feedback

2. Draft and release job descriptions for new Security Team staff and being hiring process
 * Director of (Application) Security
 * Software Engineer, Security
 * Security Analyst
 * Privacy Engineer

3. Draft Security Team onboarding documents/handbook, documenting:
 * Issue triage and response
 * Team member responsibilities and information required for cross-training
 * Policies and processes

The team will also support other teams in the following initiatives:
 * 1) Data Mapping, led by Legal
 * 2) AuthManager post-deployment updates, led by Reading
 * 3) Security audit remediation, led by OIT
 * 4) Incident postmortem reviews, led by Architecture )

Anticipated security reviews:
 * Reading - ?
 * TBD

Q2 (Oct-Dec 2016)
1. Continue Security Team hiring process
 * Application Security Engineer
 * Software Engineer, Security

2. Onboard new Security Team members

3. Improve automated scanning implementation
 * Dynamic: migrate services from Labs to VMs in cluster
 * Dynamic: update dynamic scanning to use latest OWASP ZAP and re-implemented storage backend
 * Both: develop weekly triage process OR unify scan triage with visibility into dynamic and static results for a given section of code

OR

3. Protect sensitive user information (auth / sessions)
 * Depends on outcome of discussion with operations and projected Security team hires.

Q3 (Jan-Mar 2017)
TBD

Q4 (Apr-Jun 2017)
TBD