Google today released a tool to make scanning for vulnerabilities on its cloud platform more effective, an aptly named Google Cloud Security Scanner.
Although several security scanners already exist for Web applications, Google says these are typically not very well suited to those that run on the Google App Engine.Google says these website vulnerability scanners are typically hard to set up and “built for security professionals,” not for web application developers that run the apps on the Google App Engine.
It has been designed with ease-of-use in mind and to scan “rich, JavaScript-heavy” web apps, detecting the most common issues with the minimum of false positives.This scanner allows App Engine developers to regularly scan their applications for two common web application vulnerabilities Cross-Site Scripting (XSS) and Mixed Content Scripts
Now you cn access the Cloud security scanner under select Compute > App Engine > Security scans in the Google Developers Console to run your first scan.
So this is how it works :
- Parse the HTML and emulate a browser : This is fast, however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations.
- Use a real browser : This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle.