Google’s new Cloud Security Scanner detects common security bugs

Here’s some good news for Google App Engine developers: Google has released a new application security scanner that’s especially fitting to test new app builds for cross-site scripting (XSS) and mixed content vulnerabilities.

Unlike other existing web app scanning offerings, this solution is meant to flag the most common issues App Engine developers face and is good at scanning JavaScript-heavy web applications.

“Crawling and testing modern HTML5, JavaScript-heavy applications with rich multi-step user interfaces is considerably more challenging than scanning a basic HTML page,” noted Rob Mann, Security Engineering Manager at Google.

The two usual approaches – parsing the HTML and emulating a browser, or using a real browser – have their weaknesses.

Cloud Security Scanner addresses those weaknesses by first making a high speed pass and parse of the HTML, then performing a slower, full-page render.

Then, a dynamically created botnet of hundreds of virtual Chrome workers scans the site, but don’t bombard it with requests and accidentally take it down.

Next comes the testing for XSS bugs. “We use a completely benign payload that relies on Chrome DevTools to execute the debugger. Once the debugger fires, we know we have JavaScript code execution, so false positives are (almost) non-existent,” Mann explained, but warned that this approach might not flag all the bugs due to application specifics.

In general, he says that no scanner is foolproof, and after all the scanning, a manual security review of the app is always a great idea.

Cloud Security Scanner is currently in beta, and can be accessed via Google’s Developers Console (Compute > App Engine > Security scans).