Google has given its application security assessment tool that it uses internally its independence. It's made Ratproxy open source code to help developers of Web applications assess their code's security profile.
Ratproxy was developed by Google security expert Michl Zalewski, who will continue to help maintain it. In a July 1 blog posting, Zalewski said Google had made Ratproxy available for free download at http://code.google.com/p/ratproxy/ as open source code . Unlike some security tools that determine the security of an application by firing test penetrations, Ratproxy operates passively, inspecting the application for security exposures.
It can do on-the-fly ActionScript decompilation, or a dissection of the Adobe's Flash scripting code designed to run in the end user's Flash Player, to make sure it contains no hidden, intrusive actions.
It is designed to analyze the actions of a user's browser on a Web site and automatically pinpoint and annotate areas of concern or potential flaws, where an intruder might find a way to take advantage of the user-initiated actions allowed on the page, wrote Zalewski. When it finds a suspect application code, it can produce a "very lightweight test" of it that will indicate whether it's a vulnerability. It reports on specific areas of concern, he wrote.
The tool watches out for mixed content in HTTPS or secure HTTP environments and recognizes it when it is a disallowed feature for an HTTPS application.