5 Techniques to Avoid Unwanted Outcomes with Cloud Security Scanner

Google Cloud Service Providers (CSPs)

In a previous blog post, Understanding Google Cloud Platform (GCP) Concepts, we discussed the basics of the Google Cloud Platform (Identity and Access Management, Networking, Securing data) and how these core features and systems apply towards securing your cloud workloads. In this three-part series, we’ve provided an in-depth look at three Google Cloud Service Providers (CSPs):

In this post, we will cover Google Cloud Security Scanner, but be sure to check out the other blog posts: The 5 Key Features of Google Stackdriver & How to Configure Google Cloud Armor.

Checking for Security Vulnerabilities with Google Cloud Security Scanner

All Cloud Service Providers (CSPs) have specific unique functionality for securing and monitoring environments. Cloud Security Scanner checks for security vulnerabilities in your App Engine and Compute Engine web applications.

It is designed to complement your existing secure design and development processes. The scanner currently detects the following:

  • XSS
  • Flash injection
  • Mixed-content
  • Clear text passwords
  • Usage of insecure JavaScript libraries

It performs these checks by automatically simulating use of your web applications.  This includes populating fields, simulating clicks, etc.

Pro Tip: While it does not replace manual security checks performed by an expert, it should be integrated in your development pipeline as an additional security layer in your overall process.


5 Tips to Avoid Cloud Security Scanner’s Unintended Consequences

Because the Cloud Security Scanner populates fields, pushes buttons, clicks links, and so on, it should be used with caution. Cloud Security Scanner could potentially activate features that change the state of your data or system, with undesirable results. Here are five techniques which can be used to avoid unwanted outcomes:

1. Run scans in a test environment.

Set up a test environment by creating a separate App Engine project and loading your application and data there. If you use the gcloud command-line tool, you can specify the target project as a command-line option when uploading your app.

2. Use a test account.

Create a user account that does not have access to sensitive data or harmful operations, and use it when scanning your app. Many applications present a special workflow during a user’s first-time login, like accepting terms, creating a profile, and so on. Because of the different workflow, a test account for an initial user can yield different scan results than an established user account. It’s best to scan with an account that is in the normal user state, after the first-time flow is completed.

3. Block individual UI elements.

Block elements that you do not want activated by applying the CSS class inq-no-click. Event handlers attached to this element are not activated during crawling and testing, regardless of whether they are inline JavaScript, or attached using addEventListener, or attached by setting the appropriate event handler property.

4. Use backup data.

Consider making a backup of your data before scanning.

5. Excluded URLs.

You can specify URL patterns that will not be crawled or tested. For information on syntax, see Excluding URLs in Scans.

Ensuring Secure Robust Applications

If you are using Google Cloud Platforms or strongly considering it and have not looked at or tried any of the technologies discussed here, then I encourage you to do so.  Whether you are a developer, SysOps or DevOps, these tools provide addition capability for your use cases that can lower efforts and result in secure robust applications.

To learn more about Google Stackdriver’s powerful features that can support your production and also assist in development, read our blog post: The 5 Key Features of Google Stackdriver. In addition you can read about how Cloud Armor works as a multi-layer firewall for your GCP resources in this blog post: How to Configure Google Cloud Armor.