Google Cloud Security Scanner, now available as a free beta for Google App Engine users, is designed to overcome a number of limitations often found in commercial Web application security scanners, noted Google security engineering manager Rob Mann in a blog post announcing the new service.
Commercials scanners can be difficult to set up. They can over-report issues, leading to too many false positives. They are designed more for security professionals than developers.
Google's scanner was designed to be easier to use, Mann said. The service is designed to spot errors in code that could be exploited through XSS (cross side scripting) or mixed content attacks, two common attack methods.
The scanner inspects a Web application in multiple steps. First, it quickly reviews the application's HTML code, which renders the front-end interface for users. Then it digs more deeply into the JavaScript code that runs the business logic for the site.
XSS attacks occur in sites that allow users to submit their own content, such as a discussion forum. If the Web server does not properly vet the submitted materials, attackers can add malicious code that executes when other users visit the site.
Mixed content attacks take advantage of sites that mix secure HTTPS pages with unsecured regular HTTP pages. Such sites can fool users into thinking that data is secure, when in fact it is not.
The scanning service does not cover all types of vulnerabilities, so Mann recommended customers still get manual security reviews by professionals. As time goes on, Google will expand the service to cover a wider range of vulnerabilities.
At present Google is not charging for the scanner, though its use may incur fees on the Google App Engine services deployed by the Web application being scanned.
Google Cloud Platform competitor Amazon Web Services does not offer a security scanning service for its customers, though a number of third-party companies offer scanning services on the Amazon marketplace.
Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com