As more people use the cloud for both storage and computing, on February 19th, 2015, the search giant Google released a Cloud Security Scanner to make scanning for vulnerabilities on its cloud platform more effective.
There are already several security scanner available in the form of web applications. But Google said that those typically aren't suited well to its Google Apps Engine environment. Google said that there is a tendency to report false positive, and setup can be more complicated.
"Deploying a new build is a thrill, but every release should be scanned for security vulnerabilities. And while web application security scanners have existed for years, they're not always well-suited for Google App Engine developers. They're often difficult to set up, prone to over-reporting issues (false positives) - which can be time-consuming to filter and triage - and built for security professionals, not developers," said the company in a blog post.
Google's solution is to ease developers, particularly in scanning two most common vulnerabilities: cross-site scripting (XSS) and mixed content.
Many modern web applications are created with HTML5, extensive use of JavaScript, and rich milti-step user interface. Scanning these web applications is a considerable challenge if compared to scanning basic HTML pages.
Google approached the problem by:
- Parsing the HTML and emulate a browser. This method is fast but can miss several site actions.
- Using a real browser. This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow.

"Cloud Security Scanner addresses the weaknesses of both approaches by using a multi-stage pipeline. First, the scanner makes a high speed pass, crawling, and parsing the HTML. It then executes a slow and thorough full-page render to find the more complex sections of your site," posted Rob Mann, Google's Security Engineering Manager.
The result of the methods is faster crawling speed than using normal browser. But it is still too slow. To solve the problem, Google uses Google Compute Engine to dynamically create botnets of hundreds of virtual Chrome workers to scan the site. These bots will scan a limited of 20 request per second, or lower.
Initially released as beta, the tools crawl applications by following all links within scope of the starting URLs. The tools then attempts to exercise as many user inputs and event handlers as possible.
Google will then initiate an "attack" to the scanned website to test for XSS by giving payloads that relies on Chrome DevTools.
Just like other dynamic vulnerability scanners, Google's scanning tools that complement users' design and development process, and doesn't replace any manual security review, doesn't guarantee a flaw-free application after it has been scanned. Developers are still opted to seek professionals in the security field, but the tools are meant to provide easy and simple solution to solve most common App Engine issues, with as minimal false positive as possible.
Despite the tools don't replace any manual security review, the scanner populates fields, pushes buttons, clicks on links, and more. So Google advises that the tools are used with caution. The scanner may give undesirable effects and changes the state of stored data or system.
To minimize the consequences, Google said that users should first run the initial scan on a test environment by creating a separate App Engine project to load the data there. Users can also use Google's cloud service. Users can also create a test account that doesn't have access to sensitive data so it won't initiate harmful operations while scanning. Users can block individual UI elements, exclude URLs so they won't be scanned, and backing up the data before doing anything else.














































































































































































































































































































































































