Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Google Cloud Security Scanner reaches General Availability

Google Cloud Security Scanner reaches General Availability


On October 7, 2015 Google announced its App Engine security service, Google Cloud Security Scanner, has reached general availability.  This past February, Google launched a beta version of this service.

Mathew O’Connor, product manager at Google, describes the service in the following way, “Google’s Cloud Security Scanner can detect issues like cross-site scripting (XSS), Mixed Content, and Flash Injection or alert you to the usage of insecure Javascript libraries.”

Unlike Amazon’s Inspector service and Microsoft’s Azure Security Center, Google has chosen to focus on its platform as a service (PaaS) offerings and at this point does not provide coverage for Google AppEngine infrastructure as a service (IaaS).

For developers who are writing code and focused on their own deliverables, addressing security may be overlooked. As a result, developers may introduce vulnerabilities with each new release of their software. In order to mitigate these security risks, developers or security administrators may look to web application security scanners as a way to reduce manual security testing.

Many web application security scanners exist such as Nessus and AppScan but are not necessarily well-suited for Google App Engine developers. Rob Mann, security engineering manager at Google, explains “web application security scanners have existed for years, they’re not always well-suited for Google App Engine developers. They’re often difficult to set up, prone to over-reporting issues (false positives)—which can be time-consuming to filter and triage—and built for security professionals, not developers.”

Within the Google Developer Console, administrators can configure a security scan.  The security scan works by crawling and testing basic HTML pages, HTML5 pages and web applications that contain large amounts of Javascript.

Configuring a security scan requires an administrator to provide an entry URL, authentication credentials, if applicable, and any URLs that should be excluded.  This configuration is represented in the following image.   

Image Source:

For customers who have enrollment processes, Google advises customers to manually move through those workflows in order to avoid terms and condition policy acceptance and account verification issues.

After the scan configuration is complete, Cloud Security Scanner uses a multi-stage pipeline approach to analyzing the web site.  The first stage involves a quick parsing of the HTML rendered by the web application. The second stage takes a thorough pass-through of your web application looking for more complex areas of your web site.

Since the second stage is more system resource intensive, Google will scale horizontally in order to reduce the amount of time the scan will take.  This scale out is achieved through the use of virtual Chrome workers that will concurrently scan your site.  Google will limit the number of worker instances to 20 requests per second, or lower, in order to avoid performance related issues.

The third stage looks for cross-site scripting vulnerabilities by leveraging Chrome Dev Tools to execute the debugger and pass benign payloads to JavaScript code.

There are no direct costs for using Cloud Security Scanner. However, indirect costs occur through the use of the App Engine platform.  While testing occurs, there will be charges for bandwidth usage, API calls and any other service your web site is consuming.  For larger test scenarios, Google will stop a scan after 100 000 test requests in order to minimize billing overruns.

Rate this Article