Identity & Security

Catch web app vulnerabilities before they hit production with Cloud Web Security Scanner

This the second blog in our six part series on how to use Cloud Security Command Center. In our first post, we looked at how to enable Cloud Security Command Center and how it can improve your cloud security posture. 

Today’s web applications are developed at a rapid pace, and that pace is only getting faster. This makes it difficult to know if your web apps have vulnerabilities and how to fix them before they hit production. We recognize this problem, and it’s why we developed Cloud Web Security Scanner, a built-in feature in Cloud Security Command Center that allows you to detect vulnerabilities—including cross-site scripting or outdated libraries—in GKE, Compute Engine, and App Engine. In this blog, we’ll walk through how to get started with Cloud Web Security Scanner, with the help of a video, so you can start reducing your web app vulnerabilities. 

Enabling Cloud Web Security Scanner
Cloud Web Security Scanner isn’t turned on by default, so the first step is to enable it. In the Google Cloud Platform Console, visit the Cloud Security Command Center page, choose an organization for Cloud Web Security Scanner, and select the project within that organization that you want to use it on. If you haven’t already enabled the Cloud Web Security Scanner API, you’ll be prompted to do it here.

Enabling Cloud Web Security Scanner.png

Create, save, and run scans 
Cloud Web Security Scanner allows you to create, save, and run scans to detect key vulnerabilities in development before they’re pushed to production.

To create a scan, add the url of the application you’d like to test, then save it by visiting the scan’s configuration page—where you can also find out more information about the scan, its history, and the controls for editing it. When you want to run a scan, just schedule the time you want it to run from the Cloud Web Security Scanner page. 

Once you’ve completed these steps, Cloud Web Security Scanner will automatically crawl your application—following all the links within the scope of your starting URLs—and attempt to exercise as many user inputs and event handlers as possible. When the scan is done, it will show any vulnerabilities it detected.

Create, save, and run scans .png

View your findings and fix them 
After you’ve turned on Cloud Web Security Scanner and run your scans, you can also use it to explore the findings (results). It can identify many common web vulnerabilities on these pages, including Flash injection and  mixed content. 

In addition to using the Cloud Web Security Scanner page, you can enable Cloud Web Security Scanner under Security Sources and view your findings directly on the Cloud Security Command Center dashboard. This lets you see findings from Cloud Web Security Scanner, and other built-in security features, in one place to get a holistic look into your security posture in GCP. Just click on a finding to bring up more information about the issue and how to fix it.

View your findings and fix them .png

For more information...
To learn more about Cloud Web Security Scanner and enable it for your web applications, check out our video.