Google is set to subject code to the comfy chair treatment after it revealed details of its in-house web application security scanner, codenamed Inquisition.
Built off the back of the web browser Chrome and Google Cloud Platform, the tool is designed for accessibility, with support for the latest HTML 5 and a low false positive rate.
Claudio Criscione, security engineer at Google, said: "Securing modern web applications can be a daunting task — doubly so if they are built (quickly) with diverse languages and technology stacks.
"That’s why we run a multi-faceted product security programme, which helps our engineers build and deploy secure software at every stage of the development lifecycle."
As part of the scheme Google has launched Firing Range, an open source testing environment for automated scanners, that comes with a wide range of cross-site scripting (XSS) bugs, among other vulnerabilities.
The Java app is available on the code repository Github, and can also be deployed as a Google App Engine application, with a public instance already running online.
"Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner," Criscione added.
Content from our partners
"It’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools."
