Hello,
In an effort to create a repeatable and streamlined process for consumption
of security services the Security Team has been working on changes and
improvements to our workflows. Much of this effort is an attempt to
consolidate work intake for our team in order to more effectively
communicate status, priority and scheduling. This is step 1 and we expect
future changes as our tooling, capabilities and processes mature.
*How to collaborate with the Security Team*
The Security Team works in an iterative manner to build new and mature
existing security services as we face new threats and identify new risks.
For a list of currently deployed services please review our services [1]
page.
The initial point of contact for the majority of our services is now a
consistent Request For Services [2] (RFS) form [3].
The two workflow exceptions to RFS are the Privacy Engineering [4] service
and Security Readiness Review [5] process which already had established
methods that are working well.
If the RFS forms are confusing or don't lead you to the answers you need
try security-help(a)wikimedia.org to get assistance with finding the right
service, process, or person
security(a)wikimedia.org will continue to be our primarily external reporting
channel
*Coming changes in Phabricator*
We will be disabling the workboard on the #Privacy [6] project. This
workboard is not actively or consistently cultivated and often confuses
those who interact with it. #Privacy is a legitimate tag to be used in
many cases, but the resourced privacy contingent within the Security Team
will be using the #privacy engineering [7] component.
We will be disabling the workboard for the #Security [8] project. Like the
#Privacy project this workboard is not actively or consistently cultivated
and is confusing. Tasks which are actively resourced should have an
associated group [9] tag such as #Security Team [10].
The #Security project will be broken up into subprojects [11] with
meaningful names that indicate user relation to the #Security landscape.
This is in service to #Security no longer serving double duty as an ACL and
a group project. An ACL*Security-Issues project will be created and
#Security will still be available to link cross cutting issues, but will
also allow equal footing for membership for all Phabricator users.
*Other Changes*
A quick callout to the consistency [12] and Gerrit sections of our team
handbook [13]. As a team we have agreed that all changesets we interact on
need a linked task with the #security-team tag.
security@ will soon be managed as a Google group collaborative inbox [14]
as outlined in T243446.
Thanks
John
[1] Security Services
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services
[2] Security RFS docs
https://www.mediawiki.org/wiki/Security/SOP/Requests_For_Service
[3] RFS form
https://phabricator.wikimedia.org/maniphest/task/edit/form/72/
[4] Privacy Engineering RFS
https://form.asana.com/?hash=554c8a8dbf8e96b2612c15eba479287f9ecce3cbaa09e2…
[5] Readiness Review SOP
https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews
[6] Phab Privacy tag
https://phabricator.wikimedia.org/tag/privacy/
[7] Privacy Engineering Project
https://phabricator.wikimedia.org/project/view/4425/
[8] Security Tag
https://phabricator.wikimedia.org/tag/security/
[9] Phab Project types
https://www.mediawiki.org/wiki/Phabricator/Project_management#Types_of_Proj…
[10] Security Team tag
https://phabricator.wikimedia.org/tag/security-team/
[11] Security Sub Projects
https://phabricator.wikimedia.org/project/subprojects/4420/
[12] Security Team Handbook
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Handbook#Consistency
[13] Secteam handbook-gerrit
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Handbook#Gerrit
[14] Google collab inbox
https://support.google.com/a/answer/167430?hl=en