Here’s some good news for Google App Engine developers: Google has released a new application security scanner that’s especially fitting to test new app builds for cross-site scripting (XSS) and mixed content vulnerabilities.
The two usual approaches – parsing the HTML and emulating a browser, or using a real browser – have their weaknesses.
Cloud Security Scanner addresses those weaknesses by first making a high speed pass and parse of the HTML, then performing a slower, full-page render.
Then, a dynamically created botnet of hundreds of virtual Chrome workers scans the site, but don’t bombard it with requests and accidentally take it down.
In general, he says that no scanner is foolproof, and after all the scanning, a manual security review of the app is always a great idea.
Cloud Security Scanner is currently in beta, and can be accessed via Google’s Developers Console (Compute > App Engine > Security scans).