Using Web Security Scanner

This page shows you how to use Web Security Scanner managed scan features and review findings in the Security Command Center dashboard. Examples of Web Security Scanner findings are also shown.

Web Security Scanner is a built-in service for the Security Command Center Premium tier that identifies common security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. To view Web Security Scanner findings, it must be enabled in Security Command Center Services settings.

The following video shows the steps to set up Web Security Scanner and use the Security Command Center dashboard. Learn more about viewing and managing Web Security Scanner findings and using managed scan features in text later on this page.

Learn more about how Web Security Scanner works.

Reviewing findings

Web Security Scanner's managed scan feature automatically configures and schedules scans for each of your in-scope projects. Web Security Scanner scans can take up to 24 hours to start after the service is enabled and run weekly after the first scan. Findings are viewed in Security Command Center.

Reviewing findings in Security Command Center

To review Web Security Scanner findings in Security Command Center:

  1. Go to the Security Command Center Findings tab in the Google Cloud Console.
    Go to the Findings tab
  2. Next to View by, click Source Type.
  3. In the Source type list, select Web Security Scanner. A table populates with findings for the source type you selected.
  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information including the following:
    • What the event was
    • When the event occurred
    • The source of the finding data
    • The detection severity, for example High
    • The affected URL

A scan can produce findings from several base URLs. To display all findings associated with a given URL in a scan:

  1. Click the finding name under category.
  2. On the finding details panel, copy the URL next to externalUri.
  3. Close the finding detail panel.
  4. In the Filter box, enter externalUri:affected-uri, where affected-uri is the URL you copied previously. Security Command Center displays all the findings that are associated with the URL.

Example findings

Example Web Security Scanner managed scan findings include the following:

Table A. Web Security Scanner managed scan finding types
Vulnerability Description
Mixed-content A page that was served over HTTPS also serves resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or monitor users' actions.
Clear text password An application returns sensitive content with an invalid content type, or without an X-Content-Type-Options: nosniff header.
Outdated Library

The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.

Web Security Scanner identifies some vulnerable versions of the following popular libraries:

This list is updated periodically with new libraries and updated vulnerabilities as applicable.

Learn more about Using the Security Command Center dashboard.

Scan configurations

To review managed scan configurations and manually start scans, use the Cloud Console.

To see the managed scan configuration for a project:

  1. Go to the Web Security Scanner page in the Cloud Console.
    Go to the Web Security Scanner page
  2. Select a project. A page appears with a list of your managed and custom scans.
  3. Under Scan configs, click managed_scan. The page that appears shows the results of the most recent managed scan, including scan status, URLs crawled, and vulnerabilities found. Use the drop-down list to see the results of previous scans.

Web Security Scanner administers and maintains managed scans, so you cannot modify scan configurations. Managed scans can only be edited or deleted in Security Command Center, as discussed in Disabling managed scans.

On-demand scans

Managed scans run automatically on a set schedule. However, you can use the Web Security Scanner interface to run on-demand managed scans:

  1. Go to the Web Security Scanner page in the Cloud Console.
    Go to the Web Security Scanner page
  2. Select a project. A page appears with a list of your managed and custom scans.
  3. Under Scan configs, click managed_scan.
  4. On the next page, click Run at the top of the page; or
  5. Click Run scan again in the Results tab.

The scan begins and findings are updated in Security Command Center when completed. On-demand managed scans are useful when you want to capture findings for new or updated projects in between scheduled scans. On-demand scans don't impact the timing of scheduled weekly scans.

You can find more information about the scan in the project logs page.

Disabling managed scans

It is recommended that you keep Web Security Scanner enabled for all in-scope projects. However, you can disable Web Security Scanner or remove specific projects from Web Security Scanner managed scans.

To remove projects from managed scans:

  1. Go to the Services page in Security Command Center.
    Go to the Service page
  2. Select your organization.
  3. Navigate to Advanced settings and expand the menu to see your folders and projects.
  4. Under the Web Security Scanner column, select Disable by default in the drop-down list for each project you want to remove from managed scans.

Disabled projects are no longer included in managed scans.

To disable Web Security Scanner in Security Command Center:

  1. Go to the Services page in Security Command Center.
    Go to the Service page
  2. Select your organization.
  3. In the drop-down list next to Web Security Scanner, select Disable by default.

Web Security Scanner is disabled in Security Command Center and managed scans will no longer run.

You can continue to use Web Security Scanner as a standalone product through the Web Security Scanner interface in the Cloud Console, with the following changes:

  • You need to configure and manage custom scans for each of your projects.
  • Managed scan configurations are archived and existing managed scan findings remain viewable in the Security Command Center dashboard.
  • Managed scans are only available in Security Command Center Premium, so managed scan configurations and existing managed scan findings are removed from the Web Security Scanner interface.

If Web Security Scanner is turned back on in Security Command Center, managed scan configurations and findings reappear in the Web Security Scanner interface. Generally, if the same vulnerabilities are found during new scans, existing findings are updated. If your application or website changed substantially since the last scan, new findings may be created.

What's next