Google has released its own Web application security scanner, called Skipfish. The free scanner is designed to work within a variety of existing Web application frameworks and is built with an emphasis on speed and low false-positives, the company said.
Skipfish enters a crowded field of Web application security testing tools, both free and commercial. The landscape also includes a slew of security companies and consultancies that specialize in testing Web applications, including WhiteHat, Cenzic and a number of others. Google said that Skipfish is meant to be easy to use, fast and produce few false positives.
“Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments,” according to the scanner’s documentation.
However, the Skipfish scanner is not meant to be a replacement for commercial scanners, it appears. Google says in the documentation that the scanner doesn’t meet many of the evaluation criteria set out by the Web Application Security Consortium for such scanners, and also “extensive database of known vulnerabilities for banner-type checks.”