The Cloud Security Scanner created by Google and the GCP, is designed to work seamlessly alongside Google's App Engine applications. Though it's fair to say that this new tool has benefits to offer any company on the cloud, the Security Scanner is sure to hold interest for developers working in the Google App Engine - the PaaS (Platform as a Service) solution offering application stack infrastructure.
Because the scanner runs directly from the Google App Engine developer console, experts don't have to worry about maintaining or installing additional software. What's more, the scanner is automatically optimized to suit Google App Engine applications.
Introducing the Google Cloud Security Scanner
So, what is the Google Cloud Security scanner, and what does it do for people in the modern cloud environment? In simple terms, the Security Scanner allows developers to sift through their applications for security purposes, looking for issues like mixed content vulnerability, and cross-site scripting. To run checks securely and smoothly, Google uses a small botnet on the Compute Engine that crawls through a website looking for any signs of trouble.
During its first run, the Google Cloud Security Scanner crawls your site and any apps you're running, looking for issues with the basic HTML code. After this, Google makes an additional pass that completely renders the website, allowing the scanner to examine more comprehensive and complex parts of the application. Once all of this work is done, Google attempts to attack the website in question with a non-dangerous payload, using the built-in debugger system from Chrome's Developer Tools.
The tool checks thoroughly for any changes that might have taken place in the DOM and browser to see whether the injection was successful or could have been exploited. Using the debugger, Google can avoid the risk of false positives.
What Can the Cloud Security Scanner Do for You?
For today's developers and website owners, the GCP Cloud Security Scanner is all about cutting down on the common risks that plague modern applications and sites. It works by helping you to track down and repair common vulnerabilities in your Google App Engine applications, so you can spend less time worrying about security, and more time focusing on growth and innovation.
The Google Cloud Security Scanner automatically scans for and detects a range of common vulnerabilities, including Flash Injections, cross-site scripting and mixed content too. It also looks for insecure and outdated libraries, and enables early identification too, so that you can jump into action as quickly as possible. The GCP benefits from very small false positive rates, which helps to offer peace of mind, and you can easily set up your security scans, run, and schedule them for free from your Google Cloud Platform account.
The Google Cloud Security Scanner ensures that app developers can pinpoint the presence of possible vulnerabilities before production. Once a scan has been set up, the cloud security scanner works automatically with the application, following all links within the starting URLs, and exercising various user inputs. It focuses on delivering actionable results for XSS, mixed content usage, Flash injection, and insecure libraries, with very low false positive results, so you can jump into action as quickly as possible.
What's more, another great feature of the GCP security scanner is the fact that you can easily set up and run your scheduled or immediate security scans from the Cloud Platform console. Scans come from a test environment and are enabled specifically for targets in your APP Engine, to protect against unintended effects.
The Features of the Cloud Security Scanner
Before you start scanning your app systems, Google recommends that its users carefully audit their applications to look for any feature that might affect the systems or data users beyond the scope of the scan. The fact that Cloud Security Scanner is designed to push buttons on your apps, populate fields, click links, and more means that it needs to be used with strategy and caution. The Security Scanner can sometimes activate features that would change the state of your system or data, with undesirable results. For instance:
In an email page, your Cloud Security Scanner might end up generating a huge number of test emails, etc.
In a blog application, Cloud Security Scanner might post test strings on your blog articles that spam your comments.
Fortunately, Google provides guidance on how to minimize unintended consequences. If you know how to use it with care, the Cloud Security Scanner can be very useful, as it comes with a range of rich features, including:
Simple control: Run immediate or scheduled scans from your Developer Console with ease, selecting excluded paths and choosing specific endpoints.
Vulnerability detection: Look for common issues like mixed content, flash injection, and XSS.
Actionable Results: Google offers you with clear scan results so you can respond quickly and effectively to possible vulnerabilities.
Selection of browsers: Run scans using Safari, Chrome, Blackberry, and other browser agents.
Authentication: The Security Scanner offers support for non-Google, and Google accounts, with automatic support for various log-in scenarios.
Using the Google Cloud Security Scanner
The Google Cloud Security Scanner is a powerful service for those seeking to protect the security of their application engine. Before you start using it, of course, you should be familiar with the limitations and capabilities of the tool, and how its features might interact with your applications. While scanning is a great way to detect possible vulnerabilities, your strategy needs to be set up with caution to avoid unwanted circumstances.
For more help using the Google Cloud Security Scanner, or for assistance setting up your Google Cloud Platform strategy, contact Coolhead Tech today!