1

Is there any need to penetration test a GoogleAppEngine solution? Or will it be protected by googles existing infrastructure?

Grant Miller
  • 205
  • 2
  • 3
  • 11
S-K'
  • 113
  • 4
  • 2
    How should Googles infrastructure be able to protect you from your bugs? – Teetrinker Jul 11 '14 at 11:06
  • I am not interested in testing for bugs, the question is about pen tests (security). – S-K' Jul 11 '14 at 11:51
  • 1
    But your bugs can create security issues, e. g. SQL injection when not validating user input. How is Google supposed to know whether the resulting database query is legitimate or not? – Teetrinker Jul 11 '14 at 12:26

1 Answers1

3

Just because Google hosts the site doesn't make it anymore secure.

It is still your code that is open to exploitation. If it contains business critical information or user data then it is prudent to use secure programming methods and other practice's to ensure the security of the system and your data. This could include penetration testing.

But be sure you are carrying out the testing against your own system and not Google's underlying infrastructure. Also be sure to check the terms and conditions for Google App Engine to ensure penetrating testing your site/app is not in breach of them.

Terms: https://developers.google.com/cloud/terms/

Google Audits: http://googleenterprise.blogspot.co.uk/2011/08/security-first-google-apps-and-google.html

Note: the above audit blog post doesn't mean insecure code hosted on Google's systems is guaranteed. It means their overall infrastructure has been audited and certified. Your code can still be vulnerable.

RustyFluff
  • 236
  • 1
  • 5
  • The link to the terms says "deprecated" even in its URL. So I wouldn't assume it helpful. When going to that page, it says the current terms can be found at: https://developers.google.com/cloud/terms/ Also, if anyhow possible, I would suggest to do pen-testing against both platforms. The in-house infrastructure might include some implicit security measures like a firewall that you can't expect to be available on App Engine and that might falsify the pen testing's results. – Teetrinker Jul 14 '14 at 07:32
  • 1
    Terms link duly updated. However, I strongly disagree with your suggestion to pen-test Google's cloud infrastructure as well as your own app. If you pen-test Google's infrastructure without explicit permission from Google's legal department then you will be committing a **federal crime under Computer Fraud and Abuse Act (18 U.S.C. 1030)**. In fact even pen-testing his own app could be broadly considered illegal under that act. I refer to this Q/A on this same site: http://security.stackexchange.com/questions/6355/at-what-point-does-hacking-become-illegal – RustyFluff Jul 16 '14 at 07:40
  • I was implicitely assuming Google's permission, of course. I don't know about App Engine but for Amazon's AWS, there are special procedures to apply for special test scenarios that could otherwise be considered an attack. – Teetrinker Jul 16 '14 at 07:44