Google Cloud offers security scanning for customer apps
- 20 February, 2015 08:57
Google has released a security scanner to help its cloud customers guard against attacks on their Web applications.
Google Cloud Security Scanner, now available as a free beta for Google App Engine users, is designed to overcome a number of limitations often found in commercial Web application security scanners, noted Google security engineering manager Rob Mann in a blog post announcing the new service.
Commercials scanners can be difficult to set up. They can over-report issues, leading to too many false positives. They are designed more for security professionals than developers.
Google's scanner was designed to be easier to use, Mann said. The service is designed to spot errors in code that could be exploited through XSS (cross side scripting) or mixed content attacks, two common attack methods.
XSS attacks occur in sites that allow users to submit their own content, such as a discussion forum. If the Web server does not properly vet the submitted materials, attackers can add malicious code that executes when other users visit the site.
The scanning service does not cover all types of vulnerabilities, so Mann recommended customers still get manual security reviews by professionals. As time goes on, Google will expand the service to cover a wider range of vulnerabilities.
At present Google is not charging for the scanner, though its use may incur fees on the Google App Engine services deployed by the Web application being scanned.
Google Cloud Platform competitor Amazon Web Services does not offer a security scanning service for its customers, though a number of third-party companies offer scanning services on the Amazon marketplace.