Security Blog Log: Taking Google Code Search for a spin

The blogosphere is consumed this week by Google Inc.'s latest tool.

In its official blog, the search giant touts Google Code Search as giving responsible programmers a single place to search publicly accessible source code.

"Our view is what's good for the Web is good for Google -- we want users to have the best online experience possible, and we hope [tools like Google Code Search] will help developers create compelling applications for their users," Google Senior Product Manager Bret Taylor wrote.

But as SearchSecurity.com Executive Editor Dennis Fisher wrote Thursday, some security professionals worry this tool will help the dregs of the digital underground as much as it will the law-abiding users.

Google alone has been a resource for hackers who have used the main search engine to pinpoint Web sites that might be ripe for attack. Google Code Search simplifies the process by letting users search for regular expressions, exact strings and restrict their searches to code written in specific programming languages. As Fisher wrote, the tool searches all of the publicly available source code it can find, which includes not just open-source code intentionally made available to the public, but also any code in a Concurrent Versions System (CVS) repository or other form that a developer happens to leave on a public server.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: ZERT rekindles third-party patching debate The new clearinghouse for flaws If e-thieves want your vote, they can have it

Security experts like Gary McGraw, CTO of Dulles, Va.-based software security consultancy Cigital Inc., warned that Google's new tool is "absolutely useful to the bad guys."

But many bloggers viewed the arrival of Google Code Search more positively. Some see it as a genuinely useful tool for finding flaws or writing more ironclad code. For others, it's simply a new toy for finding dirty words and famous names within lines of code.

Information security specialist Nitesh Dhanjani wrote in the OnLamp.com blog that thanks to Google Code Search, it's now easier to scan publicly available source code for potential security issues.

He noted that the idea is to query Google Code Search using techniques previously reserved for local static code analysis, a process he said has drawbacks -- a high rate of false positives and an inability to detect logic errors that may lead to security bugs, for example. But on balance, he added, "static code analysis tools can be used to perform a quick first pass on the source code to detect bugs."

Security luminary Bruce Schneier made mention of the tool in his blog, noting how people could use it to "find usernames and passwords, confidential code, buffer overflows, and all sorts of other things."

While many security pros would see that as bad news, one respondent to Schneier's blog said this cloud has a potential silver lining, saying, "Essentially, this will force a massive audit of existing Internet code." Another respondent to Schneier's blog wrote that the tool is "a positive thing for everyone" because more eyes on the code means better security in the long run.

The "Security to the Core," blog kept by Lexington, Mass.-based Arbor Networks included a positive assessment of Google Code Search from "long-time Arbor hacker" Aaron Campbell.

After 27 years, he wrote, "you'd think static code analysis would be dead. But nothing could be further from the truth. This much I've proven to myself … after toying with Google's newest gift to the world."

Campbell noted that Google Code Search isn't exactly a new concept. For example, he said, the Koders search engine launched last year and claims to have a database with 225,816,744 lines of searchable open source code.

But, he said, Google has "seriously one-upped the competition by providing regular expression matching." Not a hacked-up, watered down subset of regexp, he said, but "full POSIX extended regular expression syntax, as well as select Perl extensions."

Campbell admitted that he threw a "naughty" word into his first search. "Much to my amusement, the first page of results contained colorful language not only in code comments, but also variable and function names," he said. "Potty mouths, the whole lot of us."

Another blogger, Dan Century, used Google Code Search to hunt down famous names residing in code. In his blog, he offered a list his findings:

• Alyson Hannigan: 9 results
• Tara Reid: 20 results
• Lara Croft: 20 results
• Lindsay Lohan: 50 results
• Paris Hilton: 50 results
• Anna Kournikova: 50 results
• Jenna Jameson: 50 results
• Jessica Alba: 50 results
• Sarah Michelle Gellar: 50 results
• Jessica Simpson: 50 results
• Natalie Portman: 50 results
• Christina Aquilera: 100 results
• Agelina Jolie: 100 results
• Jennier Aniston: 100 results
• Britney Spears: 200 results
• Buffy: 6000 results