Copyright

Practical Application for Cloud Computing: Web Applications Security Testing

Instructor: Muhammad Wannous

Muhammad has been teaching Computer Sci. and Eng. and has a Ph.D. degree in Computer Sci. and Electrical Eng.

Security is a major concern for both service providers and consumers within the cloud computing environment and the availability of security checking tools is advantageous for both. This lesson introduces Security Scanner, a cloud-based software tool designed to assist consumers in checking common vulnerabilities in the web applications they deploy in the Google App Engine. We demonstrate how to use this tool and the results it produces.

Google App Engine Security Scanner

Ethan is a cloud service consumer. He developed a web application and deployed it as part of a trial in the Google App Engine (GAE), the PaaS (Platform as a Service) available from Google. Ethan is concerned about the security aspect of the application and wants to know if there is a way to check it. He heads to Teresa, an IT consultant with expertise in the cloud environment, for a piece of advice.

Ethan: I deployed a web application in GAE as part of a trial, but I am concerned about its security. Could you advise me of a way or a tool to check whether it is vulnerable or not?

Teresa: I think that you can start by checking the common vulnerabilities and for this purpose, the Cloud Security Scanner which GAE makes available to the consumers like you, is very helpful.

Ethan: Could you tell me more about this tool?

Teresa: Cloud Security Scanner is a web-based tool for use in GAE applications. You can use it to scan and detect common vulnerabilities like cross-site-scripting (XSS), flash injection, mixed content (HTTP in HTTPS), and software libraries that are insecure or out of date. It is available without any extra charges, but it consumes from your resource quota when it runs.

Ethan: It just fits what I need. How can I use it?

Teresa: The tool is available from the consumer cloud console. Let me demonstrate how to use it on my application in GAE.

Creating and Running a New Scan Job

Click on the Navigation menu (Figure-1).

Figure-1: Navigation menu
Navigation Menu

Then move to ''App Engine'' in the ''Compute'' section, and in the menu that pops out pick ''Security scans'' as shown in Figure-2.


Figure-2: Select security scan
GAE Security Scanner -1-


The page that appears lists the scan jobs that you have already created. In this page, you can also create scan jobs and run them as per your needs. To create a new scan job, click on ''New Scan'' as seen in Figure-3.


Figure-3: New scan
GAE New Scan


This will take you to a page where you configure the tool (Figure-4).


Figure-4: Configure a new scan
GAE New Scan Settings


The most important field to fill in this page is the ''Starting URLs'' where you write the base URL of your application. The tool typically fills it for you, but you can also type it in if it does not.

Ethan: What should I type here?

Teresa: You may type the application URL in GAE. Something like https://{app id}.appspot.com.

Then click on ''Create'' and the job will be ready to run. Click on the '' Run'' to start the scan job as you see in Figure-5.


Figure-5: Running a new scan job
GAE Run Scan


GAE will put the job in a queue until it can find enough resources to run it and once it does it will start it, and you will see a progress bar indicating the percentage completed and whether any vulnerabilities were detected as Figure-6 demonstrates.


Figure-6: Scan progress
GAE Scan Progress


The Security Scan Results

Once the scan is complete, you get a page showing the security check results. My application has no vulnerabilities according to the scanner as you see in Figure-7.


Figure-7: Scan results
GAE Scan Results


You might wish to take a look at the URLs that were tested by clicking on the ''URLs tested'' link as shown in Figure-8.


Figure-8: URLs tested
GAE Scan URLs


Or other tiny details demonstrated in Figure-9.


Figure-9: Scan details
GAE Scan Details


Adding Login Credentials

Ethan: Great tool. What if my application had pages that require being logged in to view? Can the tool test them?

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account
Support