Google's cloud will now scan web apps for common security flaws

Google's new Cloud Security Scanner allows users to easily scan applications for two common vulnerabilities: cross-site scripting, and mixed content.

Google's cloud platform will now scan developers' applications for common security vulnerabilities.

The search giant said Thursday the new security bug checker, dubbed the Google Cloud Security Scanner, will detect two common flaws, including cross-site scripting (XSS) issues, and mixed content.

13 best privacy tools for staying secure

From encrypted instant messengers to secure browsers and operating systems, these privacy-enhancing apps, extensions, and services can protect you both online and offline.

Read More

Because common HTML5 and JavaScript-heavy applications are more challenging to crawl and test, Google said the scanner takes a novel approach by parsing the code and then executing a full-page render to find more complex areas of a developer's site.

Using Google's Compute Engine, the scanner will "create a botnet of hundreds of virtual Chrome workers to scan your site," said Rob Mann, Google security engineering manager, in a blog post.

In another test for cross-site scripting, which allows hackers to inject potentially malicious code into a hosted web app, Google will "attack" the site (albeit safely and in a controlled way) with a benign payload to determine if a web app is vulnerable.

The service, currently in beta, is part of Google's effort to double-down on security matters in the past few weeks and months. But, the company has faced controversy and anger at some of its decisions.

The company's Project Zero, a division that discovers security vulnerabilities in common software and web-based services, disclosed a number of bugs in recent weeks. Microsoft did not take too kindly to it the first time around, but Google did it again -- disclosing yet another bug that it claimed the software giant had stalled on fixing. That said, the two companies have seen common ground on an effort to tackle false antivirus flags, which Google said is a "headache" for both users and app developers.

But the search giant also took a hit after it said it would not patch a critical security bug in older Android versions, which make up more than 60 percent of the Android ecosystem.