Securing your applications on the public web is an essential part of deploying any application. Various tools exist to test out against known vulnerabilities in web applications and if you have a web application hosted on Google App Engine, you know that because of a sandbox runtime, it has not been easy to pick and choose the testing tool of your choice. This is no longer the case with the release of Google Cloud Security Scanner, which aims to do just that.
Google Cloud Security Scanner, announced in a Beta release, can help you test your web application against known vulnerabilities. This tool is integrated right within the Developer Console for your Google Cloud Platform project. All you need to do is access it from the Developer Console and set up a security scan that you can run repeatedly.
The current list of vulnerabilities detected include Cross-site scripting (XSS), Mixed Content, and some custom detectors.
The tool is available for no extra charge to existing Google Cloud Platform projects, though you should be aware that the scanner affects your App Engine instance quota limits, bandwidth charges, and API call quotas. The Google Cloud Security Scanner will try to go through the list of URLs in your application, testing out various forms and parameters. You can throttle the number of requests that the scanner will throw at your application with a maximum scan rate of 15 queries per second. You can provide additional URLs or even exclude certain URLs if you want.
The documentation provides tips and suggestions on how best to test out your application without affecting current live instances of your App Engine application. A good suggestion is to use a test version of your App Engine application along with test accounts to identify the known vulnerabilities. While the tools are currently limited to a few web vulnerabilities, it is expected that over time, Google would add in more checks with user feedback and usage.
To learn more about Google Cloud Security Scanner, check out the official documentation.