Google releases cloud app security scanner

Beta version aimed at developers

24 February 2015 by Drew Amorosi - Datacenter Dynamics

Google releases cloud app security scanner
Thinkstock / frankpeters

Users of Google’s App Engine will now have access to an application security tool that will scan for two common vulnerabilities. The beta version of its Cloud Security Scanner will evaluate applications created on App Engine – the company’s platform-as-a-service product that builds and runs applications deployed within the Google Cloud infrastructure.

The scanner will assess App Engine-created applications for cross-site scripting (XXS) and mixed content, which are two common web application vulnerabilities.

“While web application security scanners have existed for years, they’re not always well-suited for Google App Engine developers. They’re often difficult to set up, prone to over-reporting issues (false positives)—which can be time-consuming to filter and triage—and built for security professionals, not developers,” noted Rob Mann, Google’s Security Engineering Manager, in a blog post announcing the new tool.

The new scanner should only be used as a preliminary assessment, Mann added, as he recommends that all applications still receive manual inspection from a web application security pro before deployment.

He described the Cloud Security Scanner as using a multi-stage pipeline. “First, the scanner makes a high speed pass, crawling, and parsing the HTML. It then executes a slow and thorough full-page render to find the more complex sections of your site.”

As for evaluating for XXS vulnerabilities – often prevalent, but easy to remedy – Mann said the scanner deploys a benign payload to simulate an attack on the user’s site that uses Chrome DevTools to execute the debugger.

“Once the debugger fires, we know we have JavaScript code execution, so false positives are (almost) non-existent”, Mann added. “While this approach comes at the cost of missing some bugs due to application specifics, we think that most developers will appreciate a low effort, low noise experience when checking for security issues—we know Google developers do!”


Sign in

Forgotten Password?

Create MyDCD account


region LATAM y España North America Europe Em Português Middle East Africa Asia Pacific

Whitepapers View All