alphaspirit - Fotolia
Google recently introduced its new Cloud Security Scanner. How does a cloud security or Web application scanner stack up against traditional vulnerability scanners? Is Google's scanner viable for enterprise use, or are there caveats enterprises should be aware of?
Google's new Cloud Security Scanner is designed to work with Google App Engine applications. While the Google scanner is a welcome addition to the set of security tools available, it will primarily interest Google App Engine developers.
Google App Engine is a platform as a service (PaaS) that provides application stack infrastructure. The PaaS supports development using Python, Java, PHP and Go. While developers deploying on the Google App Engine can use third-party scanning tools, other tools may not be as easy to deploy or as precise as the Google Cloud Security Scanner.
Vulnerabilities missed by the fast scan may be detected by a second stage scan that emulates a full browser. This is a slower operation, but it provides more comprehensive scanning. The scanner uses a set of Google Compute Engine instances to horizontally scale as needed to scan sites.
The scanner is designed to test all controls and inputs, but it may not evaluate some. Keep in mind that although there is no charge for using the Google Cloud Security Scanner, the resources used -- such as API calls -- do count against your quota.
Care should be taken when running the scanner since it attempts to exercise all inputs and controls. Google has several recommendations for avoiding unintended consequences, such as altering production data, which include running scans in a test environment, using a limited privilege test account, backing up data before running the scan and blocking user interface components that should not be tested.
The Google Cloud Security Scanner can be used for applications deployed on the Google App Engine. Before use, developers should be familiar with the capabilities and limitations of the scanner and understand how those features will interact with custom applications. Scanning is a good way to detect vulnerabilities, but caution is needed to avoid unintended consequences of exercising user interface components.
Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)
Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading