Google Code Search gives security experts a sinking feeling

By Dennis Fisher, Executive Editor 11 Oct 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Google Inc.'s motto may be "Don't be evil," but some people in the security community are worried that the company's new code search tool could help attackers do just that.

A lot of people leave code sitting around. This is absolutely useful to the bad guys. Gary McGraw, CTO, Cigital Inc.

Hackers for years have been using Google's main search engine as a way to find Web sites that might be vulnerable to a particular attack. By searching for a given string of code or a specific error message, they can identify Web-based applications ripe for attack.

However, the new Google Code Search makes that process even simpler by enabling users to search for regular expressions, exact strings and even restrict their searches to code written in specific programming languages. The tool searches all of the publicly available source code it can find, which includes not just open-source code intentionally made available to the public, but also any code in a Concurrent Versions System (CVS) repository or other form that a developer happens to leave on a public server.

"A lot of people leave code sitting around. This is absolutely useful to the bad guys," said Gary McGraw, CTO of Cigital Inc., a software security consultancy based in Dulles, Va., that performs code reviews and other services. "A lot of people accidentally publish their CVS code on Web servers or wherever. It could just be that somebody screwed up, but it's still out there."

McGraw cited the formerly proprietary code that runs Diebold Election Systems' AccuVote-TX electronic voting machines as an example. A voting activist was able to download the source code from a Diebold FTP site, which led to the exposure of a number of security flaws in the software and widespread questions about the accuracy of the machines and the integrity of votes cast with them.

Other security experts say the new tool may result in a slew of new vulnerability disclosures in the near future.

"They've made it a lot easier to get something meaningful out of it. I do expect to see a lot more vulnerabilities announced because of this, because it will be an easy way for some of these guys to get some quick press," said Max Caceres, director of product management at Core Security Inc., a Boston-based company that develops penetration-testing tools. "It's very easy to write a clever regular expression and get a thousand results back."

A few simple queries with Google Code Search can easily show a user an area that application developers think might be vulnerable to attack, McGraw said. By looking for terms such as "to do" or "bug" or "security," users can find comments in source code left by developers or testers pointing out problems.

"That's the first thing you do when you do a code review, you start by looking for those comments," McGraw said. "We did a code review once for a big bank and found a comment in the code saying that the developer thought a certain function might be a security vulnerability. He was right and it was even worse than they thought."

Still, the new search engine has plenty of potential as a legitimate tool for developers and could end up being a net positive in terms of security, Caceres said.

"People shouldn't be so quick to label this a security disaster," he said. "Security-wise, in the long term I think it could be a good thing because developers will realize that what they do has implications and will be seen. So maybe they'll be a little more careful."

Pete Lindstrom, a research director at The Burton Group, of Midvale, Utah, said Web developers should already be searching for their own code to avoid risk. Still, there's very little value in external developers attempting to find source code, he said.

"It highlights what the good guys should be looking out for to begin with," Lindstrom said. "Simply because Google is leveraging the scalability of computers through search, shouldn't change our interest in protecting the code to begin with."

Tags: Software Development Methodology,  Vulnerability Risk Assessment,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Vulnerability Risk Assessment Are Web application penetration tests still important? McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Vulnerability test methods for application security assessments Free HP SWFScan tool detects Adobe Flash flaws PCI QSA assurance program penalizes assessors Information security book excerpts and reviews New York drafts language demanding secure code Security experts identify 25 dangerous coding errors Microsoft Windows XML flaw exploits test desktop antimalware Vulnerability Risk Assessment Research Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary