Page MenuHomePhabricator
Create Task
Maniphest T242792

Update language in security review SOPs to establish timelines and expectations
Closed, ResolvedPublic
Actions

Description

Currently, the general reference is "30 days notice" but this is really 30 days to get a review done from top to bottom. That is probably aggressive as this backlog grows.

We already set an expectation here:

Typically, WMF teams or MediaWiki developers embarking on a new project should plan to have 2 or 3 check-ins with the Security Team.

But this seems to not be grabbing attention and we are seeing reviews (even significantly sized ones) surface for the first time 30 days or less from expected launch.

Differentiation between expected timeline for first engagement with the Security Team and expected timeline for review work is needed.

https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews
https://www.mediawiki.org/wiki/Security/SOP/Security_Concept_Reviews

We also have T242791: Implement an 'Estimated Start Date' field in Phab in the works to help with communicating flow through our process with task attributes but the expectations themselves have to first be represented in the SOP.

Possibly also address the use of the new Est Start Date field from T242791?

Related Objects

Event Timeline

chasemp triaged this task as Medium priority.Jan 14 2020, 8:27 PM
chasemp created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2020, 8:27 PM
chasemp updated the task description. (Show Details)Jan 15 2020, 9:26 PM
chasemp moved this task from Incoming to In Progress on the Security-Team board.Jan 16 2020, 3:39 PM
Jcross added a subscriber: JBennett.Jan 17 2020, 5:29 PM

Will review with @JBennett and AppSec team and plan on updating before 1/27/20

Jcross added a comment.Feb 10 2020, 7:07 PM

We've determined that the expectation of "30 days" as a timeframe will only apply once the team has received everything needed to move forward and as long as nothing occurs to hamper / restart our review process. This could include changes to code, which would restart the 30 day timer. I'll look at precise phrasing of this for Readiness reviews, and it will not apply to Concept reviews.

Jcross added a comment.Feb 13 2020, 6:03 PM

Language updated and will continue to monitor and adjust.

Jcross closed this task as Resolved.Feb 13 2020, 6:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL