Google has launched an open source scanner that allows web app developers to probe nascent applications for security vulnerabilities.
“Using fully automated heuristics, it detects code that is vulnerable to cross-site scripting attacks (XSS), SQL and XML injection attacks and many other attack types. The tool’s comprehensive post-processing of the individual test results is designed to help with the interpretation of the final report,” wrote H Security’s Chris Von Eitzen.
“Skipfish is a pure C implementation and according to Google, can easily process 2,000 HTTP requests per second – provided the tested server can handle such a high load. In individual tests across local networks, 7,000+ requests per second have reportedly been sent with a modest CPU load and memory footprint.”
Eitzen explained that Google managed to achieve such high performance by deploying a serial I/O model which processes responses asynchronously and offers superior scalability over traditional (synchronous) multi-threaded approaches.
“Optimized HTTP connection handling via features such as HTTP 1.1 range requests, keep-alive connections and data compression are designed to keep Skipfish’s network bandwidth requirements in check,” added Eitzen.