With cloud-deployment security a major concern for virtually all software developers, Google on Feb. 19 released to beta testing a new security-leak scanner for apps built on its cloud platform.
The Google Cloud Security Scanner identifies security vulnerabilities in Google App Engine Web applications. It crawls the application, follows all links within the scope of the starting URLs, and attempts to exercise as many user inputs and event handlers as possible.
Only regular App Engine instances are supported; the Security Scanner cannot be used with App Engine Managed VMs, Google Compute Engine or any other resources, Rob Mann, Google Security Engineering Manager, wrote in a blog post.
“Deploying a new build is a thrill, but every release should be scanned for security vulnerabilities,” Mann said. “And while web application security scanners have existed for years, they’re not always well-suited for Google App Engine developers. They’re often difficult to set up, prone to over-reporting issues (false positives)—which can be time-consuming to filter and triage—and built for security professionals, not developers.”
Mann cautioned developers that the new security scanner has its limitations.
“The scanner complements your existing secure design and development processes. It does not replace a manual security review, and it does not guarantee that your application is free from security flaws,” Mann said. “The scanner minimizes false positives, so it will not find every possible type of vulnerability.”
How It Works
Crawling and testing modern HTML5 and JavaScript-heavy applications with rich multistep user interfaces are considerably more challenging than scanning a basic HTML page, Mann said. There are two general approaches to this problem:
–Parse the HTML and emulate a browser. This is fast; however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations.
–Use a real browser. This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution and time needed for the DOM to settle.
Cloud Security Scanner addresses the weaknesses of both approaches by using a multistage pipeline, Mann said. First, the scanner makes a high-speed pass, crawling and parsing the HTML. It then executes a slow and thorough full-page render to find the more complex sections of the site.
Then the scanner scales horizontally. “Using Google Compute Engine, we dynamically create a botnet of hundreds of virtual Chrome workers to scan your site,” Mann said. “Don’t worry, each scan is limited to 20 requests per second or lower.”
Scans at Several Levels
“Then we attack your site (again, don’t worry)! When testing for XSS, we use a completely benign payload that relies on Chrome DevTools to execute the debugger. Once the debugger fires, we know we have JavaScript code execution, so false positives are almost non-existent,” Mann said.
As with all dynamic vulnerability scanners, Mann said, a clean scan does not necessarily mean you’re security bug-free. Google still recommends a manual security review by a Web app security professional, just to be sure.
For more information on Web security, search the topic here on eWEEK and see the OWASP Top Ten Project.