Page MenuHomePhabricator

Security Team quarterly check in for April - June 2019
Open, NormalPublic

Description

<<< January - March 2019April - June 2019>>>

Q4 Goals

https://www.mediawiki.org/wiki/Wikimedia_Technology/Annual_Plans/FY2019/CDP1:_Privacy,_Security,_and_Data_Management/CDP_Budget_Segment_2/Goals#Status_2

Outcome 1 / Output 1

Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Goal(s)

  • Review and mature our security policies and awareness functions:
  • T221133: Create or update 3 security policies (Q4 2019) (ongoing goal) (T221642)
  • Provide Security Awareness training (ongoing goal) (T221659)
  • Perform Phishing campaign
  • Form Security Council (T221639)
  • Form strategy and begin initial steps toward building a data governance platform
  • Form strategy and begin initial steps toward building a vulnerability management program
  • Assess current security logging capabilities (stretch goal)

Outcome 1 / Output 2

Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)

  • Expansion of CSP (ongoing goal) (T28508)
  • Security Release (ongoing goal) (T205041)
  • Analytics Risk Assessment and Threat Model (T203997)
  • Incorporation of Phan-taint-check into MW Core (stretch goal) (T203630, T183174, T216348)
  • Evaluate dynamic scanners (T219567)
  • Routine penetration testing
  • Polish and demo appsec docker “toolboxes” (PHP, Python) (T221477)
  • Improve security tooling for Phab/Gerrit monitoring (T217673, T218743, T212508)
  • Formalized process and SOP for concept/design reviews (new form and SOP update, T220624, done)
  • Generate initial security metrics/measurements

Outcome 1 / Output 3

Ensure the high-quality protection and security of our infrastructure and data.
--Increase maturity and capabilities in the event of a security incident.

Goal(s)

  • Perform tooling and process retro
  • Finalize and test our Security Incident Response documentation (T221662)
  • Create incident play by play dashboard (T221664)
  • Perform 1 large scale tabletop exercise (T221663)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2019, 12:55 PM
charlotteportero updated the task description. (Show Details)
chasemp updated the task description. (Show Details)Apr 16 2019, 6:58 PM
sbassett triaged this task as Normal priority.Apr 16 2019, 8:06 PM
sbassett updated the task description. (Show Details)Apr 19 2019, 7:02 PM
sbassett updated the task description. (Show Details)
sbassett edited subscribers, added: JBennett, sbassett, chasemp and 5 others; removed: charlotteportero.
Dsharpe updated the task description. (Show Details)Tue, Apr 23, 3:01 PM
Dsharpe updated the task description. (Show Details)Tue, Apr 23, 3:09 PM
Dsharpe updated the task description. (Show Details)Tue, Apr 23, 4:05 PM
Dsharpe updated the task description. (Show Details)Tue, Apr 23, 4:15 PM
Dsharpe updated the task description. (Show Details)Tue, Apr 23, 4:18 PM
Dsharpe updated the task description. (Show Details)
chasemp updated the task description. (Show Details)Mon, Apr 29, 6:18 PM