The Register — Google Code Search peers into programs’ flaws

Robert Lemos — 8 October 2006
Security professionals warned developers on Thursday that they need to be aware that their open-source repositories can now be easily mined, allowing attackers to target programs that are likely to be flawed. While Google could previously be used to look for specific strings, now the search engine riffles through code that much better.

“It is going deeper into places where code is publicly available, and it’s clearly picking up stuff really well,” said Chris Wysopal, chief technology officer of security startup Veracode. “This makes it easier and faster for attackers to find vulnerabilities - not for people that want to attack a (specific) Web site, but for people that want to attack any Web site.”

Google announced on Thursday that the tool is now available for public use. Google Code Search digs through open-source code repositories on the internet, compiling the large amount of source code available on the web into an easily searchable database. The tool allows Web surfers to find code that matches certain regular expressions, and searches can be limited to certain file types and licenses.

Google is not the first to offer this sort of service — see Krugle and Koders, for instance — but its name and consequent media coverage will ensure wide publicity and, probably, greater use.

There are fears being expressed that the Google service will expose weaknesses in people’s programs. The macho response to that is to say that they should have been better made in the first place. This would be of little comfort to users whose accounts get hacked because of an oversight by a coder or system administrator. Best to alert your nearest techie to the potential problem. If he or she says there’s nothing to worry about, make a record of it, if only as a CYA measure.

Other responses dwell on the humorous side of what is being found. (This is hacker humour, remember, not necessarily understandable by or tickling the funny bone of ordinary folk.) Jason Kottke has a starter list of these as well as the worrisome possibilities.