Google has open sourced its own internal vulnerability scanner which is designed to be used on large-scale enterprise networks made up of thousands or even millions of internet-connected systems.
The scanner, which is named Tsunami, was made available on GitHub by the search giant last month though it has been used internally at the company for some time now. Now that it is open source though, the vulnerability scanner will no longer be a Google product but will instead be maintained by the open source community in a similar way to Kubernetes.
While hundreds of other commercial and open source vulnerability scanners are available today, Tsunami is a bit different due to the fact that Google built it with other large businesses like itself in mind.
The company designed its vulnerability scanner to be extremely adaptable and Tsunami is capable of scanning a wide variety of device types without the need to run a different scanner for each device.
Tsunami vulnerability scanner
In a blog post, Google explained that Tsunami executes a two-step process when scanning a system.
The first step is reconnaissance during which Tsunami scans a company’s network for open ports. After this, it then tests each port and tries to identify the protocols and services running on them to prevent mislabeling ports and testing devices for the wrong vulnerabilities.
The second step deals with vulnerability verification and here Tsunami uses the information gathered through reconnaissance to confirm that a vulnerability does indeed exist. To do so, the vulnerability scanner executes a fully working, benign exploit. The vulnerability verification module also allows Tsunami to be extended through plugins.
At release, Tsunami ships with detectors for exposed sensitive UIs, found in applications such as Jenkins, Jypyter and Hadoop Yarn, and weak credentials by using open source tools such as ncrack to detect weak passwords used by protocols and tools including SSH, FTP, RDP and MySQL.
In the coming months, Google plans to further enhance Tsunami’s capabilities by adding many more detectors for vulnerabilities similar to remote code execution (RCE). The company is also working on several other new features that will make the vulnerability scanner’s engine more powerful as well as easier to use and extend.