"It is going deeper into places where code is publicly available, and it's clearly picking up stuff really well," said Chris Wysopal, chief technology officer of security startup Veracode. "This makes it easier and faster for attackers to find vulnerabilities - not for people that want to attack a (specific) Web site, but for people that want to attack any Web site."
The tool allows users to easily find code that matches certain regular expressions, and searches can be limited to certain file types and licenses. It crawls and indexes publicly hosted archives (.tar.gz, .tar.bz2, .tar, and .zip) and CVS and Subversion repositories, making it an ideal tool to search for flaws in software.
Google's response to the warnings was to make it clear that the tool is intended for helping programmers find coding examples and obscure function definitions, and that it is not intended to help find exploitable security flaws in software.
"Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately," the company said in a statement e-mailed to SecurityFocus.