A new tool from Google that digs through open-source code repositories on the internet is causing concern for security professionals, mostly because the tool is just so damn good at what it does. Security professionals warned developers on Thursday of the need to be aware of Google Code Search being utilised to easily mine code for security flaws that are exploitable. A would-be attacker can now target programs that are likely to be flawed with much greater efficiency using this tool.
"It is going deeper into places where code is publicly available, and it's clearly picking up stuff really well," said Chris Wysopal, chief technology officer of security startup Veracode. "This makes it easier and faster for attackers to find vulnerabilities - not for people that want to attack a (specific) Web site, but for people that want to attack any Web site."
The tool allows users to easily find code that matches certain regular expressions, and searches can be limited to certain file types and licenses. It crawls and indexes publicly hosted archives (.tar.gz, .tar.bz2, .tar, and .zip) and CVS and Subversion repositories, making it an ideal tool to search for flaws in software.
Google's response to the warnings was to make it clear that the tool is intended for helping programmers find coding examples and obscure function definitions, and that it is not intended to help find exploitable security flaws in software.
"Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately," the company said in a statement e-mailed to SecurityFocus.