Google’s new Code Search, a developer tool that scours the Internet for software code, is stirring up buzz over what some see as its potential for misuse bycomputer attackers.
Code Search is meant to optimize searches for specific software codes, scripts, licenses and related information. However, concerns have arisen over possible nefarious uses of the tool. It conceivably could make it easier for attackers to find software holes, exploit codes and proprietary code that is already available on the Internet.
“It does make it easy to perform a query to find code that might be interesting to you,” said VeriSign iDefense Rapid Response Team Director Ken Dunham, including software security holes and actual exploit code for attacks. “As seen with any tool, yes, it is a double-edged sword. Both sides can use it to find vulnerabilities or exploit code.”
The downside of useful Internet tools such as this one is nothing new, however, as computer worms have previously relied on Google and other search engines to find vulnerable systems, IT-Harvest Chief Research Analyst Richard Stiennon told LinuxInsider. The tools are also put to use by the good guys, though, and the result is positive overall.
“It helps in the long term to create a healthier ecosystem of the Internet,” he said.
Top of Mind
Google’s is by no means the first search engine to be used to find vulnerabilities or victims, according to Stiennon. He referred to an Alta Vista search engine-assisted attack on Lotus users more than five years ago.
“It’s always been a great tool for attackers,” he said, indicating Google has also been used repeatedly to find vulnerable software, systems and users — including corporate ones.
Search engine security issues may, in fact, provide an opportunity for a new security market, he said. Google has so far responded well to such matters. The firm should not be blamed for ill deeds done with its products or services, he opined.
“I wouldn’t blame Google or point the finger at them, because the actual code is already there,” he said.
Google for Good
Google Code Search includes only publicly accessible information and is intended to serve as a resource for developers to find sample code and obscure function definitions. It helps them discover code they didn’t know about and, at the same time, promotes collaboration, Google spokesperson Barry Schnitt told LinuxInsider.
“We hope that it will be used as a tool for solving security issues and actually help people prevent exploits,” he said. “In cases where we can help prevent certain malicious behavior, we’ll try to do that. We’re working on some changes already and, as with any Google service, we’re open to suggestions from our users.”
Google has a process for those who do not want their code “crawled,” or scanned by Google’s search engine, Schnitt added, and copyright owners can remove proprietary code from the Code Search results if they want to.
Meanwhile, the security issues raised by Google Code Search are opening the door to more discussion about the security merits of open source software, which is available to anyone.
The public availability of source code may make it more vulnerable to attack, but on the flipside, the expanded army of programmers who also have access to the code will be able to secure it faster and better, said VeriSign iDefense’s Dunham.