Security/SOP/Security Preview

Review Required by: 12th February 2020

Purpose
The purpose of this Standard Operating Procedure (hereinafter referred to as SOP) is to document the requirements for individuals in need of a pre-deployment security code review.

Process
Concept review (optional)

When considering a new project, if there is any doubt that the feature might not be a good idea for security, or might negatively impact user privacy, you can optionally consult with the Security Team during the Concept phase of your project. Please create a [https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?title=Security%20Concept%20Review%20For%20%7B...%7D&description=%23%23%23Project%20Information%20%0A*%20Name%20of%20project%3A%0A*%20Project%20home%20page%3A%0A*%20Name%20of%20team%20which%20owns%20the%20project%3A%0A*%20Primary%20contact%20for%20the%20project%3A%0A*%20Target%20date%20for%20deployment%3A%0A*%20Link%20to%20code%20repository%3A%0A*%20Is%20this%20a%20brand-new%20project%3A%20%0A*%20Has%20this%20project%20ever%20been%20reviewed%20before%3A%20(Phab%20tasks%2C%20etc.)%0A*%20Has%20any%20risk%20assessment%20(STRIDE%2C%20etc.)%20been%20performed%3A%0A*%20Is%20there%20an%20existing%20RFC%20or%20has%20this%20been%20presented%20to%20the%20community%3A%0A*%20Is%20this%20project%20tied%20to%20a%20team%20quarterly%20goal%3A%0A*%20Does%20this%20project%20require%20its%20own%20privacy%20policy%3A%0A%23%23%23Description%20of%20the%20project%20and%20how%20it%20will%20be%20used%0A%60%2F*%20please%20be%20verbose%20and%20feel%20free%20to%20link%2Fupload%20related%20documents%20*%2F%60%0A%0A%23%23%23Description%20of%20any%20sensitive%20data%20to%20be%20collected%20or%20exposed%0A%60%2F*%20PII%2C%20credit%20cards%2C%20UA%2FIP%2C%20credentials%2C%20etc.%20*%2F%60%0A%0A%23%23%23Technologies%20employed%0A%60%2F*%20please%20list%20all%20relevant%20languages%2C%20platforms%2C%20hardware%2C%20etc.%20*%2F%60%0A%0A%23%23%23Dependencies%20and%20vendor%20code%0A%60%2F*%20please%20list%20all%20known%20internal%20and%20external%20dependencies%2C%20including%20hosting%20providers%20*%2F%60%0A%0A%23%23%23Working%20test%20environment%0A%60%2F*%20this%20is%20NOT%20A%20HARD%20REQUIREMENT%20*%2F%60%0A%60%2F*%20a%20vagrant%20role%2C%20Dockerfile%2C%20install%20instructions%2C%20outside%20proof-of-concept%20or%20ETA%20on%20existence%20*%2F%60%0A%60%2F*%20n.b.%20the%20test%20environment%20will%20determine%20if%20the%20Phabricator%20task%20needs%20to%20be%20security-protected%20*%2F%60&projects=Security-Team-Reviews Security Concept Review request] (short: https://w.wiki/DpV) within Phabricator.

As an example, consider an extension that would allow users to include 's in wiki pages, to embed content from other sites. This would be a concept that would be inappropriate for Wikimedia, as it would allow leaking user IP addresses to third parties, in violation of our Privacy Policy. Having a Concept Review before any work is done on the extension would prevent wasted effort on an idea that is not workable within the context of Wikimedia.

Towards the conclusion of the Concept Review, the Security Team will work to ensure that you will have sufficient controls in place to address specific threats based upon your architecture. The Security Team may also suggest additional ways to reduce the attack surface for your project.

Finally, although the Concept Review is optional, performing one allows issues to be identified early on in a project's lifecycle, which is vastly preferable to discovering serious issues mere days or hours before (or after) a scheduled deployment.

Review process

 * 1) If the Task meets the requirements in items (4) and (5), then the Security Coordinator approves the Task, assigns it to a Security Team Engineer and places the Task in the  “In Progress” queue.
 * 2) See the #Security-Team-Reviews workboard for currently planned reviews.
 * 3) The “In Progress” queue reflects all active Security Readiness Reviews. These tasks typically have target completion dates of two to four weeks.
 * 4) A Security Team Engineer will review the Task and if approved, will comment on the Task and update the Task as resolved, if appropriate.
 * 5) If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please (contact the Security Team) as soon as possible.
 * 6) If your Task is reviewed by the Security Team Engineer and requires action on your part, the Task will be placed in the Waiting on Response/Mitigation queue. The Task may reside there for no more than 30 days.
 * 7) If the Security Team Engineer has not received a response within 30 days for the above, the Task will be moved to the Frozen column.
 * 8) Tasks that have been on the Frozen column for more than 180 days will be removed from the Security-Team-Reviews project.