Google Makes Application Security Tool Available As Open Source - InformationWeek
Government // Enterprise Architecture
07:40 PM
Connect Directly

Google Makes Application Security Tool Available As Open Source

Ratproxy was developed by Google security expert Michl Zalewski, who will continue to help maintain it.

Google has given its application security assessment tool that it uses internally its independence. It's made Ratproxy open source code to help developers of Web applications assess their code's security profile.

Ratproxy was developed by Google security expert Michl Zalewski, who will continue to help maintain it. In a July 1 blog posting, Zalewski said Google had made Ratproxy available for free download at as open source code . Unlike some security tools that determine the security of an application by firing test penetrations, Ratproxy operates passively, inspecting the application for security exposures.

Zalewski said in his blog that it operates in a "hands off" and "non-disruptive manner." It can do content sniffing, distinguishing between Style Sheets, a standard for building Web site pages, and malicious JavaScript. It can look for snippets of malicious JavaScript buried in content, even though the differences between legitimate code and intruder code can be subtle.

It can do on-the-fly ActionScript decompilation, or a dissection of the Adobe's Flash scripting code designed to run in the end user's Flash Player, to make sure it contains no hidden, intrusive actions.

It is designed to analyze the actions of a user's browser on a Web site and automatically pinpoint and annotate areas of concern or potential flaws, where an intruder might find a way to take advantage of the user-initiated actions allowed on the page, wrote Zalewski. When it finds a suspect application code, it can produce a "very lightweight test" of it that will indicate whether it's a vulnerability. It reports on specific areas of concern, he wrote.

Ratproxy attempts to prevent cross site scripting, where an attacker places JavaScript or other code on a Web site that performs actions with other site visitors other than the one intended, whether it's redirecting them to a dummy site or capturing their personal information.

The tool watches out for mixed content in HTTPS or secure HTTP environments and recognizes it when it is a disallowed feature for an HTTPS application.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Success = Storage & Data Center Performance
Balancing legacy infrastructure with emerging technologies requires laying a solid foundation that delivers flexibility, scalability, and efficiency. Learn what the most pressing issues are, how to incorporate advances like software-defined storage, and strategies for streamlining the data center.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll