Google Inc.'s motto may be "Don't be evil," but some people in the security community are worried that the company's new code search tool could help attackers do just that.
Hackers for years have been using Google's main search engine as a way to find Web sites that might be vulnerable to a particular attack. By searching for a given string of code or a specific error message, they can identify Web-based applications ripe for attack.
However, the new Google Code Search makes that process even simpler by enabling users to search for regular expressions, exact strings and even restrict their searches to code written in specific programming languages. The tool searches all of the publicly available source code it can find, which includes not just open-source code intentionally made available to the public, but also any code in a Concurrent Versions System (CVS) repository or other form that a developer happens to leave on a public server.
"A lot of people leave code sitting around. This is absolutely useful to the bad guys," said Gary McGraw, CTO of Cigital Inc., a software security consultancy based in Dulles, Va., that performs code reviews and other services. "A lot of people accidentally publish their CVS code on Web servers or wherever. It could just be that somebody screwed up, but it's still out there."
McGraw cited the formerly proprietary code that runs Diebold Election Systems' AccuVote-TX electronic voting machines as an example. A voting activist was able to download the source code from a Diebold FTP site, which led to the exposure of a number of security flaws in the software and widespread questions about the accuracy of the machines and the integrity of votes cast with them.
Other security experts say the new tool may result in a slew of new vulnerability disclosures in the near future.
"They've made it a lot easier to get something meaningful out of it. I do expect to see a lot more vulnerabilities announced because of this, because it will be an easy way for some of these guys to get some quick press," said Max Caceres, director of product management at Core Security Inc., a Boston-based company that develops penetration-testing tools. "It's very easy to write a clever regular expression and get a thousand results back."
A few simple queries with Google Code Search can easily show a user an area that application developers think might be vulnerable to attack, McGraw said. By looking for terms such as "to do" or "bug" or "security," users can find comments in source code left by developers or testers pointing out problems.
"That's the first thing you do when you do a code review, you start by looking for those comments," McGraw said. "We did a code review once for a big bank and found a comment in the code saying that the developer thought a certain function might be a security vulnerability. He was right and it was even worse than they thought."
Still, the new search engine has plenty of potential as a legitimate tool for developers and could end up being a net positive in terms of security, Caceres said.
"People shouldn't be so quick to label this a security disaster," he said. "Security-wise, in the long term I think it could be a good thing because developers will realize that what they do has implications and will be seen. So maybe they'll be a little more careful."
Pete Lindstrom, a research director at The Burton Group, of Midvale, Utah, said Web developers should already be searching for their own code to avoid risk. Still, there's very little value in external developers attempting to find source code, he said.
"It highlights what the good guys should be looking out for to begin with," Lindstrom said. "Simply because Google is leveraging the scalability of computers through search, shouldn't change our interest in protecting the code to begin with."