Chrome 40 promoted to stable channel, includes 62 security fixes
Chrome 40 promoted to stable channel, includes 62 security fixes

Google has released a beta version of the Google Cloud Security Scanner, designed to scan apps running in the cloud for security vulnerabilities, for its Platform-as-a-Service (PaaS) users.

Noting that “deploying a new build is a thrill” but each must be scanned for security flaws, Rob Mann, security engineering manager at Google, wrote in a blog post that developers using Google App Engine now “can easily scan your application for two very common vulnerabilities: cross-site scripting (XSS) and mixed content.”  

While other scanners exist, “they're often difficult to set up, prone to over-reporting issues (false positives) – which can be time-consuming to filter and triage – and built for security professionals, not developers,” the blog said.

Mann also wrote that the challenges of “crawling and testing modern HTML5, JavaScript-heavy applications with rich multi-step user interfaces” exceed those of scanning basic HTML pages. 

Two common approaches -- parsing the HTML and emulating a browser or using a regular browser — both have shortcomings. Instead, Google took a multistage pipeline approach in which “the scanner makes a high speed pass, crawling, and parsing the HTML.”

From there, it “executes a slow and thorough full-page render” to uncover a site's more complex sections.

But because that process is too slow, the company scaled the approach horizontally. Using the Google Compute Engine, the company “dynamically creates a botnet of hundreds of virtual Chrome workers” to scan a site, Mann wrote, assuring developers that “each scan is limited to 20 requests per second or lower.” 

When the company attacks a site for the second time, it uses “a completely benign payload” based on Chrome DevTools to execute the debugger when testing for XSS. “Once the debugger fires, we know we have JavaScript code execution,” Mann wrote, “so false positives are (almost) non-existent.”

But the security engineer warned that a clean scan isn't the equivalent of being bug-free. 

“We still recommend a manual security review by your friendly web app security professional,” Mann said.

Google offered considerable details about the scanner and has said it will continue to add features to the scanner, inviting developer feedback.