Google has given its application security assessment tool that it uses internally its independence. It's made Ratproxy open source code to help developers of Web applications assess their code's security profile.

Ratproxy was developed by Google security expert Michl Zalewski, who will continue to help maintain it. In a July 1 blog posting, Zalewski said Google had made Ratproxy available for free download at http://code.google.com/p/ratproxy/ as open source code . Unlike some security tools that determine the security of an application by firing test penetrations, Ratproxy operates passively, inspecting the application for security exposures.

Zalewski said in his blog that it operates in a "hands off" and "non-disruptive manner." It can do content sniffing, distinguishing between Style Sheets, a standard for building Web site pages, and malicious JavaScript. It can look for snippets of malicious JavaScript buried in content, even though the differences between legitimate code and intruder code can be subtle.

It can do on-the-fly ActionScript decompilation, or a dissection of the Adobe's Flash scripting code designed to run in the end user's Flash Player, to make sure it contains no hidden, intrusive actions.

It is designed to analyze the actions of a user's browser on a Web site and automatically pinpoint and annotate areas of concern or potential flaws, where an intruder might find a way to take advantage of the user-initiated actions allowed on the page, wrote Zalewski. When it finds a suspect application code, it can produce a "very lightweight test" of it that will indicate whether it's a vulnerability. It reports on specific areas of concern, he wrote.

Ratproxy attempts to prevent cross site scripting, where an attacker places JavaScript or other code on a Web site that performs actions with other site visitors other than the one intended, whether it's redirecting them to a dummy site or capturing their personal information.

The tool watches out for mixed content in HTTPS or secure HTTP environments and recognizes it when it is a disallowed feature for an HTTPS application.