Google today launched the beta of a new security tool for developers on its App Engine platform-as-a-service offering. The Google Cloud Security Scanner allows developers to regularly scan their applications for cross-site scripting and mixed content vulnerabilities.
Google is obviously not the first company to offer a tool like this, but as it argues in today’s announcement, the existing tools aren’t always “well-suited for Google App Engine developers.” Google also notes that these tools are typically hard to set up and “built for security professionals, not developers.”
To run its checks, Google sets up a small botnet on Compute Engine that scans your site. Requests are throttled to about 15 requests per second, which App Engine should be able to handle without problems.
On its first run, the scanner quickly crawls your site and app to parse the basic HTML code. Then, as Google describes it, it makes a second pass that fully renders the site to look at the more complex parts of the app. Once all of this is done, Google will try to attack your site with a benign payload. To do so, it uses the built-in debugger from the Chrome DevTools, and the tool checks for any changes in the browser and DOM to see whether the injection was successful (and could be exploited).
By using the debugger, Google can avoid false positives, but the team also acknowledges that this means it may miss some bugs. Google, however, argues that this tradeoff is worth it because “most developers will appreciate a low effort, low noise experience when checking for security issues […].”
Because the scanner actually tries to populate any field it finds and clicks on every button and link, there is a chance that it will actually activate some of the features on the site it is testing (so it may post a blog comment about how its roommate’s aunt made $9,000 per week last month working from home). To avoid this, Google recommends you either run the scanner on a test site or block some UI elements by adding some custom CSS code to them or exclude some URLs from the test.
Using the scanner is free, but it will impact your quota limits and bandwidth charges.