On Wed, Apr 30, 2008 at 7:48 AM, Michael Osipov ossipov@inf.fu-berlin.de wrote:
Spite the recommondations and the security team. Does this team or any other group/person take any measures to assure security with testing tools, with a special test plan or functional requirements?
Well, first of all, I think our security team consists of Brion, although maybe some other people receive the security@wikimedia.org mailings as well. Since he's also the lead developer, it's not so much a question of recommendations as mandates, which he usually implements personally (either fixing it himself, or reverting whatever broke it).
Nick Jenkins has done some fuzz-testing on MediaWiki in the past. As far as I'm aware, that's about the end of specific security testing that's done on MediaWiki, at least by the developers. The rest is covered by general code review: checking new code to make sure everything is escaped properly, and looking over old code as it's being maintained.