The blogosphere is consumed this week by Google Inc.'s latest
tool.
In its official
blog, the search giant touts Google Code Search as giving
responsible programmers a single place to search publicly
accessible source code.
"Our view is what's good for the Web is good for Google -- we
want users to have the best online experience possible, and we hope
[tools like Google Code Search] will help developers create
compelling applications for their users," Google Senior Product
Manager Bret Taylor wrote.
But as SearchSecurity.com Executive Editor Dennis Fisher wrote
Thursday, some security professionals worry this
tool will help the dregs of the digital underground as much as
it will the law-abiding users.
Google alone has been a resource for hackers who have used the
main search engine to pinpoint Web sites that might be ripe for
attack. Google Code Search simplifies the process by letting users
search for regular expressions, exact strings and restrict their
searches to code written in specific programming languages. As
Fisher wrote, the tool searches all of the publicly available
source code it can find, which includes not just open-source code
intentionally made available to the public, but also any code in a
Concurrent Versions System (CVS) repository or other form that a
developer happens to leave on a public server.
Security experts like Gary McGraw, CTO of Dulles, Va.-based
software security consultancy Cigital Inc., warned that Google's
new tool is "absolutely useful to the bad guys."
But many bloggers viewed the arrival of Google Code Search more
positively. Some see it as a genuinely useful tool for finding
flaws or writing more ironclad code. For others, it's simply a new
toy for finding dirty words and famous names within lines of
code.
Information security specialist Nitesh Dhanjani wrote in the
OnLamp.com
blog that thanks to Google Code Search, it's now easier to scan
publicly available source code for potential security issues.
He noted that the idea is to query Google Code Search using
techniques previously reserved for local static code analysis, a
process he said has drawbacks -- a high rate of false positives and
an inability to detect logic errors that may lead to security bugs,
for example. But on balance, he added, "static code analysis tools
can be used to perform a quick first pass on the source code to
detect bugs."
Security luminary Bruce Schneier made mention of the tool in his
blog, noting how people could use it to "find usernames and
passwords, confidential code, buffer overflows, and all sorts of
other things."
While many security pros would see that as bad news, one
respondent to Schneier's blog said this cloud has a potential
silver lining, saying, "Essentially, this will force a massive
audit of existing Internet code." Another respondent to Schneier's
blog wrote that the tool is "a positive thing for everyone" because
more eyes on the code means better security in the long run.
The
"Security to the Core," blog kept by Lexington, Mass.-based
Arbor Networks included a positive assessment of Google Code Search
from "long-time Arbor hacker" Aaron Campbell.
After 27 years, he wrote, "you'd think static code analysis
would be dead. But nothing could be further from the truth. This
much I've proven to myself … after toying with Google's newest gift
to the world."
Campbell noted that Google Code Search isn't exactly a new
concept. For example, he said, the Koders search engine launched
last year and claims to have a database with 225,816,744 lines of
searchable open source code.
But, he said, Google has "seriously one-upped the competition by
providing regular expression matching." Not a hacked-up, watered
down subset of regexp, he said, but "full POSIX extended regular
expression syntax, as well as select Perl extensions."
Campbell admitted that he threw a "naughty" word into his first
search. "Much to my amusement, the first page of results contained
colorful language not only in code comments, but also variable and
function names," he said. "Potty mouths, the whole lot of us."
Another blogger, Dan Century, used Google Code Search to hunt
down famous names residing in code. In his
blog, he offered a list his findings:
- Alyson Hannigan: 9 results
- Tara Reid: 20 results
- Lara Croft: 20 results
- Lindsay Lohan: 50 results
- Paris Hilton: 50 results
- Anna Kournikova: 50 results
- Jenna Jameson: 50 results
- Jessica Alba: 50 results
- Sarah Michelle Gellar: 50 results
- Jessica Simpson: 50 results
- Natalie Portman: 50 results
- Christina Aquilera: 100 results
- Agelina Jolie: 100 results
- Jennier Aniston: 100 results
- Britney Spears: 200 results
- Buffy: 6000 results