Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Google Releases New Security Scanner on Its Cloud Platform

    By
    Chris Preimesberger
    -
    February 19, 2015
    Share
    Facebook
    Twitter
    Linkedin

      With cloud-deployment security a major concern for virtually all software developers, Google on Feb. 19 released to beta testing a new security-leak scanner for apps built on its cloud platform.

      The Google Cloud Security Scanner identifies security vulnerabilities in Google App Engine Web applications. It crawls the application, follows all links within the scope of the starting URLs, and attempts to exercise as many user inputs and event handlers as possible.

      Only regular App Engine instances are supported; the Security Scanner cannot be used with App Engine Managed VMs, Google Compute Engine or any other resources, Rob Mann, Google Security Engineering Manager, wrote in a blog post.

      “Deploying a new build is a thrill, but every release should be scanned for security vulnerabilities,” Mann said. “And while web application security scanners have existed for years, they’re not always well-suited for Google App Engine developers. They’re often difficult to set up, prone to over-reporting issues (false positives)—which can be time-consuming to filter and triage—and built for security professionals, not developers.”

      Mann cautioned developers that the new security scanner has its limitations.

      “The scanner complements your existing secure design and development processes. It does not replace a manual security review, and it does not guarantee that your application is free from security flaws,” Mann said. “The scanner minimizes false positives, so it will not find every possible type of vulnerability.”

      How It Works

      Crawling and testing modern HTML5 and JavaScript-heavy applications with rich multistep user interfaces are considerably more challenging than scanning a basic HTML page, Mann said. There are two general approaches to this problem:

      –Parse the HTML and emulate a browser. This is fast; however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations.

      –Use a real browser. This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution and time needed for the DOM to settle.

      Cloud Security Scanner addresses the weaknesses of both approaches by using a multistage pipeline, Mann said. First, the scanner makes a high-speed pass, crawling and parsing the HTML. It then executes a slow and thorough full-page render to find the more complex sections of the site.

      Then the scanner scales horizontally. “Using Google Compute Engine, we dynamically create a botnet of hundreds of virtual Chrome workers to scan your site,” Mann said. “Don’t worry, each scan is limited to 20 requests per second or lower.”

      Scans at Several Levels

      “Then we attack your site (again, don’t worry)! When testing for XSS, we use a completely benign payload that relies on Chrome DevTools to execute the debugger. Once the debugger fires, we know we have JavaScript code execution, so false positives are almost non-existent,” Mann said.

      As with all dynamic vulnerability scanners, Mann said, a clean scan does not necessarily mean you’re security bug-free. Google still recommends a manual security review by a Web app security professional, just to be sure.

      For more information on Web security, search the topic here on eWEEK and see the OWASP Top Ten Project.

      Chris Preimesberger
      https://www.eweek.com/author/cpreimesberger/
      Chris J. Preimesberger is Editor Emeritus of eWEEK. In his 16 years and more than 5,000 articles at eWEEK, he distinguished himself in reporting and analysis of the business use of new-gen IT in a variety of sectors, including cloud computing, data center systems, storage, edge systems, security and others. In February 2017 and September 2018, Chris was named among the 250 most influential business journalists in the world (https://richtopia.com/inspirational-people/top-250-business-journalists/) by Richtopia, a UK research firm that used analytics to compile the ranking. He has won several national and regional awards for his work, including a 2011 Folio Award for a profile (https://www.eweek.com/cloud/marc-benioff-trend-seer-and-business-socialist/) of Salesforce founder/CEO Marc Benioff--the only time he has entered the competition. Previously, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. He has been a stringer for the Associated Press since 1983 and resides in Silicon Valley.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×