Google today launched the Google Cloud Security Scanner in beta. The new tool lets App Engine developers scan their web applications for two common types of vulnerabilities: cross-site scripting (XSS) and mixed content.
To access Google Cloud Security Scanner, head to the Google Developers Console, select Compute, choose App Engine, and then Security. This will run your first scan.
Here is the tool’s official description:
It crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible. Only regular App Engine instances are supported. You cannot use the Security Scanner with App Engine Managed VMs, Google Compute Engine, or any other resources.
Google notes that there are two typical approaches to such security scans:
- Use a real browser. This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle.
Using Google Compute Engine, Google’s method is to dynamically create a botnet of hundreds of virtual Chrome workers to scan an app. Target sites won’t be overloaded, however, as each scan is limited to a maximum of 20 requests per second.
This approach is hardly thorough, but it is a low-effort and low-noise way to check for security issues. That said, Google still recommends “a manual security review by your friendly web app security professional.”
As for Cloud Security Scanner, Google doesn’t say how long the service will be in beta. It does, however, promise “many more features to come.”