Google has set out to make life easier for developers wanting to test the security of their new builds by releasing a new vulnerability scanning tool.
The web giant announced the beta release of its Google Cloud Security Scanner in a blog post on Thursday, claiming its latest effort would be more effective than many of the current tools on the market.
It explained the following:
“Deploying a new build is a thrill, but every release should be scanned for security vulnerabilities. And while web application security scanners have existed for years, they’re not always well-suited for Google App Engine developers. They’re often difficult to set up, prone to over-reporting issues (false positives)—which can be time-consuming to filter and triage—and built for security professionals, not developers.”
Google’s Cloud Security Scanner is set up for App Engine users to check for two common web vulnerabilities, namely cross-site scripting and mixed content, the firm continued.
It has been designed with ease-of-use in mind and to scan “rich, JavaScript-heavy” web apps, detecting the most common issues with the minimum of false positives.
The announcement is the latest effort by Google to position itself as a leading and proactive member of the information security industry.
Its efforts so far have had mixed results, however, with the Project Zero security research team widely criticized back in January after it publicly released details of a Windows 8.1 flaw just two days before it was due to be fixed by Microsoft in that month’s Patch Tuesday.
Google has since modified its strict 90-day disclosure policy, by adding an extra fortnight grace period for vendors who can prove that a patch is slated to be issued within that two-week period.
The firm also tripled the maximum reward on offer via its bug bounty program last September, and claimed to have handed out over $80,000 in rewards to researchers who discovered flaws in the latest version of Chrome.
Sam Hartley, senior consultant at security consultancy 7 Elements, welcomed the new scanner as a “step in the right direction.”
“Automated vulnerability scanning has its limitations, and in this case the scanner currently only detects a limited set of issues,” he told Infosecurity by email.
“As with all automated scanning, this should be augmented with manual web application security testing to validate findings from the automated tools and test for issues automated tools cannot detect."