Security Architecture
The Security Architecture pillar currently provides a range of services under two main categories: Privacy Engineering and Application Security. These pillars include service offerings such as manual Application Security Reviews of code and Privacy Reviews of new and significantly altered systems, relevant awareness training for staff and community members, consultative work with a focus on preliminary systems design as well as basic clinic responsibilities, security and privacy tooling and security feature engineering.
Aspects of this service include:
Application Security
The security team conducts security-focused code reviews and audits ranging from basic guidance on a gerrit patch set to full-featured reviews of MediaWiki core, extensions and stand-alone services. Services include:
- Manually reviewing of patches and code
- Dynamic analysis of libraries and applications
- Report creation and review
Privacy Engineering
The privacy engineering arm of the security team provides procedures and tools for the review of data processing activities to identify and mitigate associated risks to the organization and its users, including compliance with existing policies. Services include:
- Privacy data reviews
- Privacy functionality reviews
- Privacy mitigation support
- Privacy Awareness and Privacy by Design Training
Security Engineering
The security team creates and manages GRC and other security engineering tooling.
Standards
The security team creates, updates, and reviews various security and privacy standards. The security team also does standard exception management, as well as enforcement.