Google Releases Open Source Webapp Security Tool

by Lisa Hoover - Mar. 22, 2010Comments (0)

Google Open Source Programs

Security-minded developers will want to take note of Google's newest open source application security tool, skipfish. It's a fully automated web application that scans your web site looking for security holes and flaws.

Skipfish is designed to work will several different kinds of web app frameworks, and is built to be speedy while still returning a low incidence of false positives. That's good news for developers but also for people with nefarious intent. As ZDnet's Garett Rogers points out, "On the flip side, a tool that does a good job of detecting vulnerabilities like this, will naturally be used by people looking to abuse it as well."

Google lists skipfish's key features as:

• High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.

• Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

• Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The scanner performs several security checks looking for high, medium, and low risk flaws. However, Google acknowledges "skipfish is not a silver bullet, and may be unsuitable for certain purposes. For example, it does not satisfy most of the requirements outlined in WASC Web Application Security Scanner Evaluation Criteria (some of them on purpose, some out of necessity); and unlike most other projects of this type, it does not come with an extensive database of known vulnerabilities for banner-type checks." The skipfish development team says if you have a tool that works for you, stick with it. On the other hand, if you're looking for a quick and dirty way to scan a site, skipfish might be the answer.

Skipfish is licensed under the Apache License 2.0 and is available for download on the project's homepage.



skipfish-screen


Browse Blog

John Mark Walker uses OStatic to support Open Source, ask and answer questions and stay informed. What about you?



 

Comments

image
Share Your Comments

If you are a member, to have your comment attributed to you. If you are not yet a member, Join OStatic and help the Open Source community by sharing your thoughts, answering user questions and providing reviews and alternatives for projects.


Promote Open Source Knowledge by sharing your thoughts, listing Alternatives and Answering Questions!



 

Follow OStatic on Twitter

Featured Members

View
balakrishna korrapati

Currently working as Partner & CTO, Jugular Social Media, Hyderabad

View
John Mark Walker

I'm an Open Source community guy, with an interest...


Related Questions

Browse Get answers and share your expertise.

What Exactly is the Difference Between Google and Microsoft’s Promises for Cloud Uptime Percentages?

By MayaRafael - Feb 06, 2012
4 answers

How Secure is My Cloud?

By Dineshrawar - Feb 03, 2012
3 answers

How Much Can We Customize the Dynamic View Template in Blogger?

By Michael McKinney - Dec 02, 2011
3 answers

Happening Now on OStatic

Brook Cruise answered Make QR code in Ps CS4
Colb sheperd answered Make QR code in Ps CS4
Colb sheperd answered Make QR code in Ps CS4