Wikimedia Security Team/SDLC

= Security in the WMF SDLC = Security and Privacy should be integrated throughout the software development process at the WMF. There are several points in the process where the Security Team must be involved, and developer training raises awareness for developers and product managers to make good security decisions.

When specifically looking at WMF product development process, which defines a, Concept > Plan > Design > Build > Release > Maintain cycle, it's anticipated teams should consider security in the follow phases.

Concept
Teams should consider, and possibly document,
 * Does this make sense, from a security purspective?

If it's likely the project will need security reviews by the Security Team, teams should coordinate with the Security Team to schedule.

Plan / Design

 * reduce your attack surface -- tbd


 * Dataflow diagram => risks and controls identified
 * Mitigations documented


 * Privacy documentation


 * Security design review - https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Design_review

Build

 * Secure Code


 * Library selection, maintenance


 * Tests that integrate with ZAP

Release

 * Final Security review - https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Security_and_privacy_review.2C_for_deployment_.28mandatory.29
 * Privacy review - https://docs.google.com/document/d/10CF9IsFK5MChK9sDJMx2d-VmfL31mtcE3EerQG4WRTE/edit

Maintenance

 * Weekly scans by automated tools
 * Core - Veracode SA
 * Core, Mobile, Flow? - ZAP scans


 * Security bugs
 * Bug information collected for reports - https://www.mediawiki.org/wiki/Reporting_security_bugs#Tracking
 * Fixing - https://www.mediawiki.org/wiki/Developing_security_patches