Google Code Search for Security Vulnerabilities

05 Oct 2006

Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search:

Google's code search provides an easy way to find obvious software flaws in open source and example applications.

He provided a few example queries to illustrate his point:

There is certainly some potential for abuse. Here are a few queries for PHP and MySQL vulnerabilities off the top of my head:

There are a few false positives in these results, but hopefully it's clear that with a little bit of effort, it's easy to create a collection of queries to search for common web application security vulnerabilities.

Maybe I'm being naive, but I see a silver lining. With this tool that Google has created, it seems possible to develop a useful static analysis tool for the source code that's in the index. As easily as vulnerabilities can be discovered by the bad guys, they can also be discovered by the good guys.

Can you think of some good queries to add to this list? Please share!