Google launches web security scanner

Google has launched an open source scanner that allows web app developers to probe nascent applications for security vulnerabilities.

According to H Security, Skipfish runs  on a Linux/Unix command line and offers a “similar [yet faster] functionality” to utilities such as Nmap or Nessus.

“Using fully automated heuristics, it detects code that is vulnerable to cross-site scripting attacks (XSS), SQL and XML injection attacks and many other attack types. The tool’s comprehensive post-processing of the individual test results is designed to help with the interpretation of the final report,” wrote H Security’s Chris Von Eitzen.

“Skipfish is a pure C implementation and according to Google, can easily process 2,000 HTTP requests per second – provided the tested server can handle such a high load. In individual tests across local networks, 7,000+ requests per second have reportedly been sent with a modest CPU load and memory footprint.”

Eitzen explained that Google managed to achieve such high performance by deploying a serial I/O model which processes responses asynchronously and offers superior scalability over traditional (synchronous) multi-threaded approaches.

“Optimized HTTP connection handling via features such as HTTP 1.1 range requests, keep-alive connections and data compression are designed to keep Skipfish’s network bandwidth requirements in check,” added Eitzen.