Recently, Google announced the general availability of Cloud Security Scanner for Google Kubernetes Engine and Compute Engine. This service allows scanning for vulnerabilities and threats of web apps possibly introduced during development, and act before anyone can abuse them.
Joining a long line of security products for Google Cloud Platform, like KVM hypervisor, GCE Trusted Images, and Google Container Registry Image Analysis, Cloud Security Center is another line of defense against unwanted attacks. Already available for App Engine, it is now also offered for web apps running in containers on Google Kubernetes Engine (GKE) and virtual machines in Compute Engine. Consequently, the service helps to protect against the following common attack vectors, checking these during each scan. This process looks similar to how Azure has implemented this with Web Vulnerability Scanning for Azure App Service powered by Tinfoil Security, with the significant difference that GCP does not use a third party service. Expect more checks to become available over time; the full list is always presented in the Cloud Security Command Center (Cloud SCC) documentation.
- Checks if any pages use mixed content, serving both HTTP and HTTPS to the user.
- Provides notifications when using any Javascript libraries which contain known security issues.
- Detects Rosetta Flash vulnerabilities, where an attacker can send a Flash file which the server then executes.
- Notification of crosssite scripting attacks due to XSS callback or XSS error due to JavaScript breakage.
- Spots interception of passwords on the network, due to XSS Angular callback or clear text passwords, where pages send passwords with an invalid content type.
- Detection of invalid content type, invalid headers, misspelled security header names, and mismatching security header values.
- Finally, warns when the repository containing the source code is publicly accessible, both for GIT and SVN.
Cloud Security Center passes the findings along to the Cloud SCC dashboards, so users and administrators can find all threats and notifications in a centralized location. Moreover, the console provides suggestions and recommendations, turning these into actionable results. The developer can then take these outcomes, and assimilate them back into the application, providing a quick turnaround and making sure unwanted individuals will not exploit these weaknesses. Therefore, it is an excellent practice to make these scans part of the development process, as Ferris Argyle, Google app engine qualified developer, describes in his article around threat protection for containers and virtual machines.
Cloud Security Scanner enables you to detect key vulnerabilities in development prior to production; after you set up a scan, it automatically crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible. You can select whether to use Chrome, Safari, Blackberry or Nokia browser agents.
Important to note, the Cloud Security Center needs to be explicitly enabled, as it is turned off by default. One of the reasons for this is that, albeit the service does not have any costs to use, it does have an impact on the quotas for the underlying platform, such as allowances for App Engine bandwidth charges and API calls. Accordingly, it is imperative to enable the scan and direct it to the project which contains the web app. As the scan will execute any actionable components in the application, and follow all links, data is likely to get updated. To minimize the impact, adhere to the following techniques, as described in the documentation, including running scans in a test environment while using a test account, ensuring a good backup is available, and blocking specific components and links.