Google Code Search gives security experts a sinking feeling

By Dennis Fisher, Executive Editor 11 Oct 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Google Inc.'s motto may be "Don't be evil," but some people in the security community are worried that the company's new code search tool could help attackers do just that.

A lot of people leave code sitting around. This is absolutely useful to the bad guys. Gary McGraw, CTO, Cigital Inc.

Hackers for years have been using Google's main search engine as a way to find Web sites that might be vulnerable to a particular attack. By searching for a given string of code or a specific error message, they can identify Web-based applications ripe for attack.

However, the new Google Code Search makes that process even simpler by enabling users to search for regular expressions, exact strings and even restrict their searches to code written in specific programming languages. The tool searches all of the publicly available source code it can find, which includes not just open-source code intentionally made available to the public, but also any code in a Concurrent Versions System (CVS) repository or other form that a developer happens to leave on a public server.

"A lot of people leave code sitting around. This is absolutely useful to the bad guys," said Gary McGraw, CTO of Cigital Inc., a software security consultancy based in Dulles, Va., that performs code reviews and other services. "A lot of people accidentally publish their CVS code on Web servers or wherever. It could just be that somebody screwed up, but it's still out there."

McGraw cited the formerly proprietary code that runs Diebold Election Systems' AccuVote-TX electronic voting machines as an example. A voting activist was able to download the source code from a Diebold FTP site, which led to the exposure of a number of security flaws in the software and widespread questions about the accuracy of the machines and the integrity of votes cast with them.

Other security experts say the new tool may result in a slew of new vulnerability disclosures in the near future.

"They've made it a lot easier to get something meaningful out of it. I do expect to see a lot more vulnerabilities announced because of this, because it will be an easy way for some of these guys to get some quick press," said Max Caceres, director of product management at Core Security Inc., a Boston-based company that develops penetration-testing tools. "It's very easy to write a clever regular expression and get a thousand results back."

A few simple queries with Google Code Search can easily show a user an area that application developers think might be vulnerable to attack, McGraw said. By looking for terms such as "to do" or "bug" or "security," users can find comments in source code left by developers or testers pointing out problems.

"That's the first thing you do when you do a code review, you start by looking for those comments," McGraw said. "We did a code review once for a big bank and found a comment in the code saying that the developer thought a certain function might be a security vulnerability. He was right and it was even worse than they thought."

Still, the new search engine has plenty of potential as a legitimate tool for developers and could end up being a net positive in terms of security, Caceres said.

"People shouldn't be so quick to label this a security disaster," he said. "Security-wise, in the long term I think it could be a good thing because developers will realize that what they do has implications and will be seen. So maybe they'll be a little more careful."

Pete Lindstrom, a research director at The Burton Group, of Midvale, Utah, said Web developers should already be searching for their own code to avoid risk. Still, there's very little value in external developers attempting to find source code, he said.

"It highlights what the good guys should be looking out for to begin with," Lindstrom said. "Simply because Google is leveraging the scalability of computers through search, shouldn't change our interest in protecting the code to begin with."

Tags: Software Development Methodology,  Vulnerability Risk Assessment,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary