This content is part of the Essential Guide: Developing cloud applications in the new IT era

Google scanner bolsters secure cloud application development

Google's new cloud security scanner aims to make application vulnerability scanning easier for Google App Engine developers.

In response to increasing cloud security offerings from public cloud providers Amazon Web Services Inc. and Microsoft, Google has gotten into the act with a new tool to support secure cloud application development. The company last week released a beta version of its new Google Cloud Security Scanner.

According to Rob Mann, security engineering manager at Google, the scanner was designed to be easy to use and set up to detect common issues for Google App Engine developers -- such as cross-site scripting and mixed content -- while keeping false positives to a minimum.

"[W]hile Web application security scanners have existed for years, they're not always well-suited for Google App Engine developers," Mann wrote in a blog post.  "They're often difficult to set up, prone to over-reporting issues [false positives] --which can be time-consuming to filter and triage -- and built for security professionals, not developers."

Because crawling and testing HTML5 and JavaScript-heavy applications is more difficult than scanning a basic HTML page, Mann wrote, Google's security scanner takes what it calls a "multistage pipeline" approach. The process starts with a fast crawling and parsing of the HTML, followed by a slower and more detailed page render of the complex sections of the site.

In addition, the Cloud Security Scanner uses the Google Compute Engine to create a botnet of hundreds of virtual Chrome workers to scan a site (Google said each scan is limited to a maximum of 20 requests per second).

Cloud scanning obstacles

Google is the first of the major public cloud providers to offer its own cloud vulnerability scanner. Google's primary cloud competitor AWS, for example, does not offer an application vulnerability scanner, while Microsoft's Baseline Security Analyzer is strictly a network scanner.

Web application scans by their very nature are intrusive.
Morey habersenior director of endpoint and vulnerability management solutions, BeyondTrust

Traditionally, major cloud providers have relied on third-party security vendors to build tailored vulnerability scanners to test their environments. Security professionals are divided on whether other cloud providers will follow suit and build their own vulnerability scanners due to the complexities of vulnerability scanning in the cloud.

While the cloud can make it easier to apply updates and security patches because there's only the one instance of a given cloud app or service, the vulnerability-scanning process can be much more complicated, according to security professionals, because the application is hosted off-premises rather than on the client's infrastructure.

Morey Haber, senior director of endpoint and vulnerability management solutions at Phoenix-based security vendor BeyondTrust Inc., said it can be difficult to create a controlled environment to scan a cloud app, which requires obtaining detailed permissions from the cloud provider or SaaS vendor.

"It's harder but not impossible," Haber said of vulnerability scanning the cloud. "Web application scans by their very nature are intrusive."

And cloud providers are often restrictive about what they allow security vendors to scan for and how they scan for it. For example, Haber said, AWS doesn't allow third parties to scan IP addresses in AWS and will only make rare exceptions to that rule.

In addition to getting permissions, security vendors must also balance their scanning and testing between the forward-facing application and the back-end infrastructure of the cloud provider.

Tim Byrne, product manager at Boston-based security firm Core Security Inc., said finding that balance can be tricky. Byrne said Core Security introduced a version of its CloudInspect built specifically for AWS, but the product "failed miserably" at first because it was too focused on the vendor infrastructure and not the actual app.

As a result, Byrne said, it makes sense that cloud providers would build their own scanning and testing tools since they have greater access to the application code and infrastructure on which it's hosted.

"I think we'll definitely see more cloud providers doing this," Byrne said.

Jonathan Trull, CISO of security vendor Qualys Inc., based in Redwood City, Calif., said Google made a smart move by introducing its own scanner because not only does it provide a differentiator for security-concerned developers and clients, but it could also alleviate the permissions workload for Google.

"I can see why Google would do this," Trull said. "They must get so many requests for permission to scan [from security third-party vendors] that it's probably a drain on their internal resources."

But Trull said there may be drawbacks to using an in-house vulnerability scanner since the cloud provider may not want to give full visibility of the app and the back-end infrastructure to its clients.

"I'd be a little mistrustful of cloud providers building in their own scanning and testing tools," Trull said. "As we've seen, cloud providers don't want to give out too much data about their infrastructure."

Byrne agreed, calling the situation a double-edged sword. "On one hand, it's good to have the scanning and testing done in-house, because you want to be as close as possible to the target," he said. "On the other hand, if you're the customer, it may be hard to get visibility into what [the cloud provider] is finding."

While Trull said he thinks Google security has done "a great job" with its developer-focused scanner, he's skeptical that other major cloud providers will do the same. "Google is a unique animal," he said,  "so I'm not sure this is going to be the norm."

The Google scanner, the vendors agreed, likely won't replace third-party vendor scanners any time soon. The Cloud Security Scanner currently only scans for a limited range of vulnerabilities, and Google itself admits its scanner isn't a magic bullet.

"As with all dynamic vulnerability scanners, a clean scan does not necessarily mean you're security-bug free," Mann wrote. "We still recommend a manual security review by your friendly Web app security professional."

The Cloud Security Scanner is currently available as a free tool.

Next Steps

Expert Mike Chapple explains how to choose a cloud-based vulnerability scanning service

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus