<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=986590804759414&amp;ev=PageView&amp;noscript=1">
G Suite Admins Blog > Security and Governance

Introducing Web Application Vulnerability Scans for GKE and Compute Engine


Are you worried about the security of your platforms? Google has you covered. 

Now that developers are building and running their applications on a more significant number of disparate platforms, they have more vulnerabilities and security issues to consider. The more platforms you use, the higher the challenge of understanding the security state of your application becomes. Without complete visibility into your entire technology stack, you could be missing vulnerabilities that leave your apps open to exploitation. 

To help developers overcome issues like this once and for all, Google is introducing new web application vulnerability scans. The Cloud Security Scanner is now generally available for both Compute Engine and the Google Kubernetes Engine. Options for GKE and Compute Engine join previous capabilities that were available for the App Engine. 

According to the team at Google, the availability of Cloud Security Scanner on GKE and Compute Engine means that no matter where you're running your applications on the Google Cloud, you'll feel confident with your ability to quickly gain insights into potential vulnerabilities, and fix problems before they get out of hand. 

Overcoming Web Application Vulnerabilities 

Vulnerabilities in web applications can happen at virtually any stage during the development process. Sometimes, these vulnerabilities happen when an app's security framework is damaged in some way. There's also a chance that something will go wrong when a developer makes a mistake when implementing a new app into a production environment. Sometimes, vulnerabilities even take place when systems aren't properly updated or patched. 

Fortunately, with Google Cloud Scanner, you can overcome all of these issues, by surfacing a wide variety of web application vulnerabilities in one environment. The Cloud Security Scanner can:

  • Detect issues like cross-site bugs caused by Java problems
  • Identify external vulnerabilities in an app caused by mixed content or Flash inject
  • Alert you to problems with SVN and GIT repositories
  • Surface problems with mixed content that an attacker could use with man-in-the-middle strategies to gain access to user data
  • Show you when applications may be transmitting passwords in plain text accidentally or display HTTP header problems. 

When the Cloud Security Scanner in the Google solution comes across a vulnerability or security issue, it logs it as a finding within your Cloud Security Command Center. From there, users can look for ways to fix the problems before they have a chance to grow any further. What's more, Google offers the Cloud Security tool for posture management as part of the GCP for extra assistance. This additional tool will give you visibility into threats, vulnerabilities, and misconfigurations that you can then respond to quickly and easily from your dashboard. 

When you click on a finding that's been surfaced by the Cloud Security Scanner, you'll be able to see an immersive description of what's going wrong in your app. Google even offers some helpful advice on how you can effectively deal with the problem and stop it from happening again in the future. 

Using Google Cloud Security Scanner

The Security Scanner available on the Google Cloud isn't on by default. If you want to activate this feature, then you'll need to do so within the admin console. Google offers a quick start guide to get you started. Once you've completed that, you can go into the Security Sources within your Google Cloud SCC to ensure that your new feature is active.

There's also an option to create custom scans for your applications with the UI in the Cloud Security Scanner. Once the Security Scanner is on and running, it will evaluate your application, following all links within the scope of your URLs, then exercise as many events handles and user inputs as it can. The scans are all run through Safari and Chrome browsers. You can schedule when you want your scans to take place. 

For companies who need additional protection for the apps that they have running within GKE instances, you'll be able to access the container registry vulnerability scanning feature to unlock and view potentially vulnerable container images before they reach the production stage. If you're new to the GCP, you can check out all of these features as part of your trial.