Google has released a beta version of the Google Cloud Security Scanner, designed to scan apps running in the cloud for security vulnerabilities, for its Platform-as-a-Service (PaaS) users.
Noting that “deploying a new build is a thrill” but each must be scanned for security flaws, Rob Mann, security engineering manager at Google, wrote in a blog post that developers using Google App Engine now “can easily scan your application for two very common vulnerabilities: cross-site scripting (XSS) and mixed content.”
While other scanners exist, “they're often difficult to set up, prone to over-reporting issues (false positives) – which can be time-consuming to filter and triage – and built for security professionals, not developers,” the blog said.
Two common approaches -- parsing the HTML and emulating a browser or using a regular browser — both have shortcomings. Instead, Google took a multistage pipeline approach in which “the scanner makes a high speed pass, crawling, and parsing the HTML.”
From there, it “executes a slow and thorough full-page render” to uncover a site's more complex sections.
But because that process is too slow, the company scaled the approach horizontally. Using the Google Compute Engine, the company “dynamically creates a botnet of hundreds of virtual Chrome workers” to scan a site, Mann wrote, assuring developers that “each scan is limited to 20 requests per second or lower.”
But the security engineer warned that a clean scan isn't the equivalent of being bug-free.
“We still recommend a manual security review by your friendly web app security professional,” Mann said.
Google offered considerable details about the scanner and has said it will continue to add features to the scanner, inviting developer feedback.