Google Cloud offers security scanning for customer apps
Google Cloud Security Scanner, now available as a free beta for Google App Engine users, is designed to overcome a number of limitations often found in commercial Web application security scanners.
Commercials scanners can be difficult to set up. They can over-report issues, leading to too many false positives. They are designed more for security professionals than developers. Google's scanner was designed to be easier to use, Mann said. The service is designed to spot errors in code that could be exploited through XSS (cross side scripting) or mixed content attacks, two common attack methods.
The scanner inspects a Web application in multiple steps. First, it quickly reviews the application's HTML code, which renders the front-end interface for users. Then it digs more deeply into the JavaScript code that runs the business logic for the site.
XSS attacks occur in sites that allow users to submit their own content, such as a discussion forum. If the Web server does not properly vet the submitted materials, attackers can add malicious code that executes when other users visit the site.
Mixed content attacks take advantage of sites that mix secure HTTPS pages with unsecured regular HTTP pages. Such sites can fool users into thinking that data is secure, when in fact it is not. The scanning service does not cover all types of vulnerabilities, so Mann recommended customers still get manual security reviews by professionals. As time goes on, Google will expand the service to cover a wider range of vulnerabilities.
Google is not charging for the scanner, though its use may incur fees on the Google App Engine services deployed by the Web application being scanned.
