Port Security Review to Drupal 8

Summary plan for Security Review in Drupal 8

1. Review and extend this plan
2. Make 8.x branch of the code
3. Port/develop basic security checks
4. Port/develop basic functionality

Detailed plan

1. Port basic user interface
2. Make the persistency work with Configuration API
3. Design the new architecture and Security Review API
4. Implement the new architecture
5. Port or write one check that shows the capabilities of the system
6. Write tests
7. Document the new API →
8. 1st PUSH to Drupal.org
9. Port drush interface
10. Port existing checks
11. Wrap up

banviktor → is working on this as part of Google Summer of Code 2015. The latest code is at https://github.com/banviktor/security_review, developer blog can be found at http://blog.banviktor.me/gsoc15.

Checks ported

• Drupal base URL
• Drupal permissions
• File system permissions
• Error reporting
• Private files
• Executable PHP
• Text formats
• Temporary files
• Database errors
• Failed logins
• Views access
• Content
• Allowed upload extensions

Checks not to be ported

• PHP Access - PHP module removed from Drupal core but could check if enabled via PHP module →
  • Fortunately this module doesn't even work now and it's not maintained.

Additional checks may be created but should be coordinated via a new issue, this ticket is about upgrading and matching most of the feature set of Security Review 7.x-1.x.