Google on Thursday unleashed "Google Cloud Security Scanner". A web application vulnerability scanner tool, that will potentially scan developers' applications for common security vulnerabilities on its cloud platform more effectively.
Google Cloud Security Scanner in beta which allows App Engine developers to regularly scan their applications for two common security vulnerabilities Google App Engine developers face:
1) Cross-Site Scripting (XSS)
2) Fixed Content Scripts
While Google Cloud Security Scanner will be easier for web application developers to use. Google says these website vulnerability scanners are typically hard to set up and "built for security professionals," not for web application developers that run the apps on the Google App Engine.
Today, common HTML5 and JavaScript-heavy applications are more challenging to crawl and test, and Google Cloud Security Scanner claims to take a novel approach by parsing the code and then executing a full-page render to find more complex areas of a developer's site.
The developers can access the Cloud Security Scanner under Compute > App Engine > Security inGoogle's Developers Console. This will run your first scan. It does not work with App Engine Managed VMs, Google Compute Engine, or other resources.
Google notes that there are two typical approaches to such security scans:
Parse the HTML and emulate a browser –This is fast; however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations.
Use a real browser – This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle.
Google Cloud Security Scanner uses Google Compute Engine to dynamically create a botnet of hundreds of virtual Chrome workers that scan at a max rate of 20 requests per second, so that the target sites won’t be overloaded.
The Google still recommended developers to look into manual security review, just to be on the safer side. However, the company hopes its vulnerability scanner tool will definitely provide a simple solution to the most common App Engine issues with minimal false positives.
No comments:
Post a Comment