alphaspirit - Fotolia

Is the Google Cloud Security Scanner enterprise grade?

Learn how cloud security scanners compare to traditional vulnerability scanners and whether the Google Cloud Security Scanner is ready for enterprise use.

Google recently introduced its new Cloud Security Scanner. How does a cloud security or Web application scanner stack up against traditional vulnerability scanners? Is Google's scanner viable for enterprise use, or are there caveats enterprises should be aware of?

Google's new Cloud Security Scanner is designed to work with Google App Engine applications. While the Google scanner is a welcome addition to the set of security tools available, it will primarily interest Google App Engine developers.

Google App Engine is a platform as a service (PaaS) that provides application stack infrastructure. The PaaS supports development using Python, Java, PHP and Go. While developers deploying on the Google App Engine can use third-party scanning tools, other tools may not be as easy to deploy or as precise as the Google Cloud Security Scanner.

This scanner is run from the Google App Engine developer console, so there is no additional software to install and maintain. Also, the scanner is optimized for Google App Engine applications. For example, the scanner performs a preliminary scan by parsing HTML and emulating a browser. This is a relatively fast operation, but it is not comprehensive -- complex JavaScript code vulnerabilities would be missed.

Vulnerabilities missed by the fast scan may be detected by a second stage scan that emulates a full browser. This is a slower operation, but it provides more comprehensive scanning. The scanner uses a set of Google Compute Engine instances to horizontally scale as needed to scan sites.

The scanner is designed to test all controls and inputs, but it may not evaluate some. Keep in mind that although there is no charge for using the Google Cloud Security Scanner, the resources used -- such as API calls -- do count against your quota.

Care should be taken when running the scanner since it attempts to exercise all inputs and controls. Google has several recommendations for avoiding unintended consequences, such as altering production data, which include running scans in a test environment, using a limited privilege test account, backing up data before running the scan and blocking user interface components that should not be tested.

The Google Cloud Security Scanner can be used for applications deployed on the Google App Engine. Before use, developers should be familiar with the capabilities and limitations of the scanner and understand how those features will interact with custom applications. Scanning is a good way to detect vulnerabilities, but caution is needed to avoid unintended consequences of exercising user interface components.

Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)

Next Steps

Learn more about vulnerability scanning in the cloud and how to choose the best vulnerability scanner for your enterprise

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus