This page shows you how to use Web Security Scanner managed scan features and review findings in the Google Cloud console. Examples of Web Security Scanner findings are also shown.
Web Security Scanner is a built-in service for the Security Command Center Premium tier that identifies common security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. To view Web Security Scanner findings, it must be enabled in Security Command Center Services settings.
Learn more about how Web Security Scanner works.
Reviewing findings
Web Security Scanner's managed scan feature automatically configures and schedules scans for each of your in-scope projects. Web Security Scanner scans can take up to 24 hours to start after the service is enabled and run weekly after the first scan. Findings are viewed in Security Command Center.
Review findings in the console
The IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
To review Web Security Scanner findings in Security Command Center, follow these steps:
Google Cloud console
- In the Google Cloud console, go to the Findings page of Security Command Center.
- Select your Google Cloud project or organization.
- In the Quick filters section, in the Source display name subsection, select Web Security Scanner. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
Security Operations console
-
In the Security Operations console, go to the Findings page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier. - In the Aggregations section, click to expand the Source Display Name subsection.
- Select Web Security Scanner. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
View all findings associated with a specific URL
A scan can produce findings from several base URLs. To display all findings associated with a given URL in a scan, follow these steps:
- Open the finding and view its JSON definition.
- Copy the URL next to
externalUri
. - Close the finding detail pane.
In the Query editor, enter the following query:
externalUri:"AFFECTED_URI"
Replace AFFECTED_URI with the URL you previously copied.
Security Command Center displays all the findings that are associated with the URL.
Example findings
Example Web Security Scanner managed scan findings include the following:
Vulnerability | Description |
---|---|
Mixed-content | A page that was served over HTTPS also serves resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or monitor users' actions. |
Clear text password |
An application returns sensitive content with an invalid content type, or
without an X-Content-Type-Options: nosniff header.
|
Outdated Library |
The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched. Web Security Scanner identifies some vulnerable versions of the following popular libraries:
This list is updated periodically with new libraries and updated vulnerabilities as applicable. |
Learn more about using Security Command Center in the Google Cloud console.
Filtering findings in the Google Cloud console
A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using filters that are available on the Security Command Center Vulnerabilities and Findings pages in the Google Cloud console, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, project, and more.
For more information about filtering vulnerability findings, see Filter vulnerability findings in Security Command Center.
Mute findings
To control the volume of findings in Security Command Center, you can manually or programmatically mute individual findings or create mute rules that automatically mute current and future findings based on filters you define.
Muted findings are hidden and silenced, but continue to be logged for audit and compliance purposes. You can view muted findings or unmute them at any time. To learn more, see Mute findings in Security Command Center.
Scan configurations
If Web Security Scanner is given access credentials, it will perform all actions using that level of access. To reduce risk to your production resources, and to catch vulnerabilities before they reach production, it is recommended that you run scans in development, testing, staging, or quality assurance environments.
Scanning production resources is useful because even small changes to resources between testing and production can introduce vulnerabilities. However, you might want to use limit access during production scans. See Best practices for more information.
To review managed scan configurations and manually start scans, use the Google Cloud console.
To see the managed scan configuration for a project:
- Go to the Web Security Scanner page in the Google Cloud console.
Go to the Web Security Scanner page - Select a project. A page appears with a list of your managed and custom scans.
- Under Scan configs, click
managed_scan
. The page that appears shows the results of the most recent managed scan, including scan status, URLs crawled, and vulnerabilities found. Use the drop-down list to see the results of previous scans.
Web Security Scanner administers and maintains managed scans, so you cannot modify scan configurations. Managed scans can only be edited or deleted in Security Command Center, as discussed in Disabling managed scans.
Static IP address ranges for managed scans
When Web Security Scanner is enabled in Security Command Center, managed scans
start automatically using static IP addresses in the ranges 34.66.18.0/26
and
34.66.114.64/26
.
On-demand scans
Managed scans run automatically on a set schedule. However, you can use the Web Security Scanner interface to run on-demand managed scans:
- Go to the Web Security Scanner page in the Google Cloud console.
Go to the Web Security Scanner page - Select a project. A page appears with a list of your managed and custom scans.
- Under Scan configs, click
managed_scan
. - On the next page, click Run at the top of the page; or
- Click Run scan again in the Results tab.
The scan begins and findings are updated in Security Command Center when completed. On-demand managed scans are useful when you want to capture findings for new or updated projects in between scheduled scans. On-demand scans don't impact the timing of scheduled weekly scans.
You can find more information about the scan in the project logs page.
Disabling managed scans
It is recommended that you keep Web Security Scanner enabled for all in-scope projects. However, you can disable Web Security Scanner in Security Command Center or, if Security Command Center is activated at the organization level, disable Web Security Scanner managed scans for specific projects or folders.
Disable Web Security Scanner scans for a project or folder
To disable managed scans for a folder or project:
Go to the Services page in Security Command Center.
Select your project or organization.
On the Web Security Scanner card, click Manage settings. The Service enablement page opens for Web Security Scanner.
In the Service enablement panel, disable Web Security Scanner for the project or folder by using one of the following methods:
- Navigate to the project or folder:
- In the Service enablement panel, navigate to the project or folder by scrolling and expanding any parent organization or folders as necessary.
- On the row for the project or folder, from the menu in the Web Security Scanner column, select Disable.
- For projects and folders only, search for the project or folder by name:
- Click Search for a folder or project.
- In the Search resources dialog, enter the name of the project, folder, or organization. The project is displayed in the dialog.
- In the dialog, from the menu in the Web Security Scanner column, select Disable.
- Navigate to the project or folder:
Disabled projects are no longer included in managed scans.
Disable Web Security Scanner in Security Command Center
To disable the Web Security Scanner service in Security Command Center:
Go to the Services page in Security Command Center.
Select your project or organization.
On the Web Security Scanner card, click Manage settings. The Service enablement page opens for Web Security Scanner.
Under Service enablement, on the row for the top-level project or organization, from the menu in the Web Security Scanner column, select Disable.
Web Security Scanner is disabled in Security Command Center and managed scans will no longer run.
You can continue to use Web Security Scanner as a standalone product through the Web Security Scanner interface in the Google Cloud console, with the following changes:
- You need to configure and manage custom scans for each of your projects.
- Managed scan configurations are archived and existing managed scan findings remain viewable in the Google Cloud console.
- Managed scans are only available in Security Command Center Premium, so managed scan configurations and existing managed scan findings are removed from the Web Security Scanner interface.
If Web Security Scanner is turned back on in Security Command Center, managed scan configurations and findings reappear in the Web Security Scanner interface. Generally, if the same vulnerabilities are found during new scans, existing findings are updated. If your application or website changed substantially since the last scan, new findings may be created.
What's next
- Learn about remediating Web Security Scanner findings.