portico: Add security doc to /security.

templates/zerver/security.html

@@ -0,0 +1,29 @@
+{% extends "zerver/portico.html" %}
+
+{% block title %}
+<title>Zulip Security</title>
+{% endblock %}
+
+{% block customhead %}
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+{{ render_bundle('landing-page') }}
+{% endblock %}
+
+{% block portico_content %}
+
+{% include 'zerver/landing_nav.html' %}
+
+<div class="portico-landing why-page">
+    <div class="hero small-hero">
+        <h1 class="center">Zulip Security</h1>
+    </div>
+    <div class="main">
+        <div class="padded-content">
+            <div class="inner-content">
+                {{ render_markdown_path('zerver/security.md') }}
+            </div>
+        </div>
+    </div>
+</div>
+
+{% endblock %}

templates/zerver/security.md

@@ -0,0 +1,160 @@
+Zulip’s security strategy covers all aspects of our product and
+business. Making sure your information stays protected is our highest
+priority.
+
+## Security Basics
+
+- All Zulip clients (web, mobile, desktop, terminal, and integrations)
+  require TLS encryption and authentication over HTTPS for all data
+  transmission between clients and the server, both on LAN and the Internet.
+  Encryption-at-rest is available with Zulip on-premise, via hardware and
+  software disk encryption of the database and other data storage media.
+- Zulip’s on-premise offerings can be hosted entirely behind your firewall,
+  or even on an air-gapped network (disconnected from the Internet).
+- Every Zulip authenticated API endpoint has built in rate limiting to
+  prevent DoS attacks.
+- Connections from the Zulip servers to Active Directory/LDAP can be secured
+  with TLS.  If Zulip is
+  [deployed on multiple servers](https://zulip.readthedocs.io/en/latest/production/deployment.html),
+  all connections between parts of the Zulip infrastructure can be secured
+  with TLS or SSH.
+- Message content can be
+  [excluded from mobile push notifications][redact-content],
+  to avoid displaying message content on locked mobile screens, and to
+  comply with strict compliance policies such as the USA’s HIPAA standards.
+- Zulip operates a HackerOne bug bounty program to reward hackers for
+  finding and responsibly reporting security vulnerabilities in Zulip.  Our
+  [completely open source codebase](https://github.com/zulip/zulip) means
+  that HackerOne’s white-hat hackers can audit Zulip for potential security
+  issues with full access to the source code.
+
+[redact-content]: https://zulip.readthedocs.io/en/latest/production/mobile-push-notifications.html#security-and-privacy
+
+## Configurable Access Control Policies
+
+- Zulip supports private messages (to one or more individuals), private
+  streams with any number of subscribers, as well as public streams
+  available to all organization members.  We also support guest accounts,
+  which only have access to a fixed set of streams, and announcement
+  streams, where only organization administrators can post.
+- By default, users can maintain their own names and email addresses, but
+  Zulip also supports
+  [restricting changes](/help/restrict-name-and-email-changes) and
+  synchronizing these data from another database (such as
+  [LDAP/Active Directory][ldap-name]).
+- Zulip provides many options for
+  [managing who can join the organization](/help/manage-who-can-join-and-invite),
+  supporting everything from open to the public (e.g. for open source
+  projects), to requiring an invitation to join, to having an email from a
+  list of domains, to being a member of a specific organization in
+  LDAP/Active Directory.
+- Zulip also supports customizing whether non-admins can
+  [create streams](/help/configure-who-can-create-streams),
+  [add custom emoji](/help/only-allow-admins-to-add-emoji),
+  [add integrations and bots](/help/restrict-bot-creation),
+  [edit or delete messages](/help/configure-message-editing-and-deletion),
+  and more.
+
+[ldap-name]: https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#ldap-including-active-directory
+
+## Authentication
+
+- Zulip supports integrated single sign-on with Google, GitHub, and Active
+  Directory/LDAP. SAML and Okta authentication are coming soon. With Zulip
+  on-premise, we can support any of the 100+ authentication tools supported
+  by
+  [python-social-auth](https://python-social-auth-docs.readthedocs.io/en/latest/backends/index.html#social-backends)
+  as well as
+  [any SSO service that has a plugin for Apache][apache-sso].
+- Zulip uses the zxcvbn password strength checker by default, and supports
+  customizing users’ password strength requirements. See our documentation
+  on
+  [password strength](https://zulip.readthedocs.io/en/latest/production/security-model.html#passwords)
+  for more detail.
+- Users can rotate their accounts’ credentials, blocking further access from
+  any compromised Zulip credentials.  With Zulip on-premise, server
+  administrators can additionally revoke and reset any user’s credentials.
+- Administrators can deactivate any
+  [user](/help/deactivate-or-reactivate-a-user),
+  [bot, or integration](/help/deactivate-or-reactivate-a-bot).
+- With Zulip on-premise,
+  [session length](https://github.com/zulip/zulip/blob/master/zproject/prod_settings_template.py#L206)
+  and idle timeouts can be configured to match your organization’s security
+  policies.
+
+[apache-sso]: https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#apache-based-sso-with-remote-user
+
+## Integrity and auditing
+
+- Zulip administrators can configure users’
+  [ability to edit or delete messages](/help/configure-message-editing-and-deletion),
+  and whether deleted messages are retained in the database or deleted
+  permanently. Zulip by default stores the complete history of all message
+  content on the platform, including edits and deletions, and all uploaded
+  files.
+- Zulip’s server logging has configurable log rotation policies and can be
+  used for an end-to-end history of system usage.
+- Zulip stores in its database a permanent long-term audit log containing
+  the history of important actions (e.g. changes to passwords, email
+  addresses, and stream subscriptions).
+- Zulip’s powerful data exports
+  ([on-premise](https://zulip.readthedocs.io/en/latest/production/export-and-import.html),
+  [cloud](/help/export-your-organization)) can be imported into third-party
+  tools for legal discovery and other compliance purposes.  Zulip’s
+  enterprise offerings include support for integrating these with your
+  compliance tools.
+- Zulip supports GDPR and HIPAA compliance.
+
+
+## The little things
+
+Many products talk about having great security and privacy practices, but
+fall short in actually protecting their users due to buggy code or poor
+operational practices.
+
+Our focus on security goes beyond a feature checklist: it’s a point of
+pride. Zulip founder Tim Abbott was previously the CTO of Ksplice, which
+provided rebootless Linux kernel security updates for over 100,000
+production servers (now the flagship feature of
+[Oracle Linux](https://www.oracle.com/linux/)).
+
+Here are some security practices we’re proud of, all of which are unusual in
+the industry:
+
+- The Zulip server’s automated test suite has over 98% test coverage,
+  including 100% of Zulip’s API layer (responsible for parsing user input).
+  It is difficult to find any full-stack web application with as complete a
+  set of automated tests as Zulip.
+- Zulip’s python codebase is written entirely in
+  [statically typed Python 3](https://blog.zulip.org/2016/10/13/static-types-in-python-oh-mypy/),
+  which automatically prevents a wide range of possible bugs.
+- All access to user data (messages, streams, uploaded files, etc.) in the
+  Zulip backend is through carefully-audited core libraries that validate
+  that the user who is making the request has access to that data.
+- With many SaaS providers, essentially all engineers have direct shell
+  access to production servers storing user data.  Zulip Cloud is different:
+  only a small handful of security-trained engineers have access to
+  production servers or to sensitive customer data.
+- Our error handling systems are have been designed from the beginning to
+  avoid including user message content in error reports, even in cases where
+  this makes debugging quite difficult (e.g. bugs in the message rendering
+  codebase).
+- Zulip has a carefully designed API surface area of only about 100 API
+  endpoints. For comparison, products of similar scope typically have
+  hundreds or even thousands of endpoints. Every new API endpoint is
+  personally reviewed for security and necessity by the system architect Tim
+  Abbott.
+
+These security practices matter!  Slack, the most popular SaaS team chat
+provider, has needed to award
+[hundreds of bounties](https://hackerone.com/slack) for security bugs found
+by security researchers outside the company. This incredible number of
+discovered vulnerabilities likely results from Slack not following secure
+development practices (e.g. Slack uses a
+[famously insecure](https://www.quora.com/Why-is-PHP-hated-by-so-many-developers/answer/Anders-Kaseorg)
+programming language as the core language for their product).
+
+## Further reading
+
+- Detailed
+  [security model documentation](https://zulip.readthedocs.io/en/latest/production/security-model.html)

zerver/tests/test_docs.py

@@ -105,6 +105,7 @@ class DocPageTest(ZulipTestCase):
         self._test('/for/companies/', 'in a company')
         self._test('/for/working-groups-and-communities/', 'standards bodies')
         self._test('/for/mystery-hunt/', 'four SIPB alums')
+        self._test('/security/', 'TLS encryption')
         self._test('/devlogin/', 'Normal users', landing_page=False)
         self._test('/devtools/', 'Useful development URLs')
         self._test('/errors/404/', 'Page not found')

zproject/urls.py

@@ -495,6 +495,7 @@ i18n_urls = [
     url(r'^for/working-groups-and-communities/$',
         TemplateView.as_view(template_name='zerver/for-working-groups-and-communities.html')),
     url(r'^for/mystery-hunt/$', TemplateView.as_view(template_name='zerver/for-mystery-hunt.html')),
+    url(r'^security/$', TemplateView.as_view(template_name='zerver/security.html')),
 
     # Terms of Service and privacy pages.
     url(r'^terms/$', TemplateView.as_view(template_name='zerver/terms.html'), name='terms'),