Google Launches Code Search Service; Critics Warn of Possible Security Risks
MOUNTAIN VIEW, CA – Google unveiled a new service this week that allows developers to search software code from both compiled web-based archives and software repositories like SourceForge and Google Code.“We will try to make this useful for everyone from computer science students to serious programmers and even hobbyists and code enthusiasts,” Tom Stocky, a product manager with Google, told VNUNet.com.
Google has also created an Application Programming Interface (API) that enables third-party developers to incorporate a code search box in to their own development tools.
Stocky said that Code Search was designed in part to allow programmers to familiarize themselves with a given programming language by seeking out samples of that code and getting a better idea of the function of each type and sample.
“They used to have to think of all the software that was relevant, download it, unzip all the files, and search from there,” said Stocky, according to VNUNet.com. “Now they can go to Google Code Search and search from there.”
While a welcome resource for many programmers, some security experts also caution that the new service means coders should take a close look at their own open-source code before it gets ‘spidered’ by Code Search.
Representatives from a few security watchdogs, including industry newcomer Veracode, immediately followed Google’s announcement Thursday of Code Search being made available to the public with warnings that coders should be aware that their open-source repositories are now easily probed using Google’s new tool, which could allow attackers to quickly find easily-exploited code.
“It is going deeper into places where code is publicly available, and it’s clearly picking up stuff really well,” said Veracode CTO Chris Wysopal, according to SecurityFocus.com. “This makes it easier and faster for attackers to find vulnerabilities –not for people that want to attack a (specific) Web site, but for people that want to attack any Web site.”
In a statement emailed to SecurityFocus.com, Google emphasized that the tool is intended to assist programmers in finding coding examples and arcane function definitions, not to seek out flaws.
“Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing appropriately,” Google said in the statement, according to SecurityFocus.com.
According to the security experts interviewed by SecurityFocus.com, many of the functions of Code Search can be mimicked using the standard Google search engine but Code Search makes the hunt much more efficient, something that could work out as beneficial in the long run, according to some security professionals.
“This is like giving everyone a telescope,” Wysopal said. “It is making them more efficient. Let’s just hope that they are using this for good.”
Johnny Long, a security researcher whom according to SecurityFocus.com has “researched Google hacking extensively,” said that defending against potential use of Code Search to find flaws in one’s code is not easy to do and that programmers need to educate themselves on secure programming techniques. Long added that frequent review of code is essential and coding policies need to be enforced.
“If programmers are not motivated to, say, use secure libraries or to avoid known bad functions or techniques,” Long said, “where is the incentive to take the tougher path of writing secure code?”
Long told SecurityFocus.com that while attackers might have a temporary advantage over developers when it comes to putting Code Search to effective use, programmers should not simply choose to hide their repositories from Google’s new tool.
“Any new technology allows for a new attack vector,” said Long. “The big question is whether the good guys will discover it first.”