Hello, In an effort to create a repeatable and streamlined process for consumption of security services the Security Team has been working on changes and improvements to our workflows. Much of this effort is an attempt to consolidate work intake for our team in order to more effectively communicate status, priority and scheduling. This is step 1 and we expect future changes as our tooling, capabilities and processes mature.
*How to collaborate with the Security Team* The Security Team works in an iterative manner to build new and mature existing security services as we face new threats and identify new risks. For a list of currently deployed services please review our services [1] page. The initial point of contact for the majority of our services is now a consistent Request For Services [2] (RFS) form [3]. The two workflow exceptions to RFS are the Privacy Engineering [4] service and Security Readiness Review [5] process which already had established methods that are working well. If the RFS forms are confusing or don't lead you to the answers you need try [email protected] to get assistance with finding the right service, process, or person [email protected] will continue to be our primarily external reporting channel *Coming changes in Phabricator* We will be disabling the workboard on the #Privacy [6] project. This workboard is not actively or consistently cultivated and often confuses those who interact with it. #Privacy is a legitimate tag to be used in many cases, but the resourced privacy contingent within the Security Team will be using the #privacy engineering [7] component. We will be disabling the workboard for the #Security [8] project. Like the #Privacy project this workboard is not actively or consistently cultivated and is confusing. Tasks which are actively resourced should have an associated group [9] tag such as #Security Team [10]. The #Security project will be broken up into subprojects [11] with meaningful names that indicate user relation to the #Security landscape. This is in service to #Security no longer serving double duty as an ACL and a group project. An ACL*Security-Issues project will be created and #Security will still be available to link cross cutting issues, but will also allow equal footing for membership for all Phabricator users. *Other Changes* A quick callout to the consistency [12] and Gerrit sections of our team handbook [13]. As a team we have agreed that all changesets we interact on need a linked task with the #security-team tag. security@ will soon be managed as a Google group collaborative inbox [14] as outlined in T243446. Thanks John [1] Security Services https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services [2] Security RFS docs https://www.mediawiki.org/wiki/Security/SOP/Requests_For_Service [3] RFS form https://phabricator.wikimedia.org/maniphest/task/edit/form/72/ [4] Privacy Engineering RFS https://form.asana.com/?hash=554c8a8dbf8e96b2612c15eba479287f9ecce3cbaa09e235243e691339ac8fa4&id=1143023741172306 [5] Readiness Review SOP https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews [6] Phab Privacy tag https://phabricator.wikimedia.org/tag/privacy/ [7] Privacy Engineering Project https://phabricator.wikimedia.org/project/view/4425/ [8] Security Tag https://phabricator.wikimedia.org/tag/security/ [9] Phab Project types https://www.mediawiki.org/wiki/Phabricator/Project_management#Types_of_Projects [10] Security Team tag https://phabricator.wikimedia.org/tag/security-team/ [11] Security Sub Projects https://phabricator.wikimedia.org/project/subprojects/4420/ [12] Security Team Handbook https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Handbook#Consistency [13] Secteam handbook-gerrit https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Handbook#Gerrit [14] Google collab inbox https://support.google.com/a/answer/167430?hl=en _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
