Google Cloud Platform released a Web application security scanner in an attempt to make security scanning easier...
for Google app developers. While many third-party security vendors have cloud and Web application scanners for public cloud services and apps, Google is one of the first major cloud providers to offer its own in-house scanner. This tip will look at how cloud security scanners work, the benefits and drawbacks of using a cloud provider's own scanner, and how Google's Web security scanner compares to some of the other leading third-party tools.
There are a number of third-party network and Web application security scanning tools available from leading vendors, and several of these have been optimized and integrated into cloud services environments to allow scanning, as well. Examples of leading Web application scanners integrated into cloud environments include Qualys Web Application Scanning (WAS), Tenable Nessus for Amazon Web Services and Core CloudInspect. Other scanners can also be used to scan cloud application environments, but may not be natively integrated.
Benefits of using a cloud provider's security scanner
One of the major benefits of Google's new offering is that it's built-in, so no additional configuration or permission requests are needed to get going right away. In addition, the scanner is simple to set up and run, and can periodically check sites for security issues and send alerts and reports. This automated approach to scanning could help development teams that are strapped for time to improve their security posture with minimal effort. In addition, Google's team is likely to add features over time, which will then be readily available to scan Google App Engine applications.
Drawbacks of a built-in scanning tool
Despite its ease of configuration, Google's scanner is very simplistic, and only tests for two major issues: cross-site scripting and mixed content (the use of HTTP within HTTPS sites). These are major risks for cloud-based Web applications, so it makes sense to start with these issues. However, this is only a small fraction of the types of issues other scanning tools will ferret out, and any security and development teams that need to scan applications for compliance requirements -- or just want to meet basic best practices for Web application assessments -- will need to use other tools. The leading Web application scanners from Qualys, Tenable, IBM, Acunetix, Trustwave and others will always test for the OWASP Top Ten Web application security flaws at a minimum, and often much more.
When does a cloud provider's scanner make sense for your organization?
Today, most security and development teams should plan to use more robust Web application security scanning tools to properly assess cloud applications. For organizations using the Google App Engine and Google Compute Engine, enabling the free scanner makes a lot of sense, but it doesn't cover all the necessary bases. Most Web application security scanners don't have native API integration with leading cloud providers, though, so keep requesting permission for scans and coordinating them appropriately across teams. In addition, keep in mind that all scanners -- Google's included -- can dramatically increase resource utilization within cloud environments, which can increase costs, change service-level thresholds and even trigger automated load-balancing tools that may be set up.
More Web security scanners likely to come
Over time, it's likely that more leading cloud service providers will create their own security tools like Web security scanners and partner more closely with existing vendors that provide these services. For now, most teams will want to stick with what they've been using if they already have a reasonably mature Web application scanning program and tools in place. Most of the leading vendors are more than capable of scanning cloud application environments, and you'll be glad to have the deeper security checks and reporting that come along with a more powerful set of tools. However, for those organizations using Google App Engine today -- especially those not doing any scanning currently -- the new Web security scanner from Google is a great start.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.