I got to experiment a bit with Google Cloud Security Scanner yesterday, and wanted to share with you my experiences, set expectations and what not.
- It’s a Front End test. We spin up a bunch of Chrome instances and have them go at your site as a browser. We aren’t scanning your code on the server side. We’re testing as if we are on the outside trying to get in.
- It’s App Engine only. You get to it through the Developer Console menu for App Engine. It’s not a general purpose scanner.
- Read the documentation. Everything I was confused by for even a moment was noted there. The thing that confused me most was the fact that I ended up getting 150 or so email from my contact form. Once I understood what was going on, I was all cool with it, but at first I was wondering what the heck was going on.
- It’s going to take a while. It scanned 1607 urls on my site in 1 hour 23 minutes. It’s doing a comprehensive scan, while rendering pages in Chrome and running XSS tests. It also limits its requests per second to not become a nuisance.
- There is no charge except… The scan does not have a charge associated with it. However it is making requests of your site, and those requests count against usage and quota. That being said. For me, it didn’t even cause a dent in my usage and quota and I have them all set pretty low. Obviously your mileage may vary depending on the nature of your site. But for my relative small traffic WordPress blog, running with default quotas, it didn’t cause a blip.