Built for large enterprise networks: Google releases open source vulnerability scanner “tsunami”

According tomedia reports, Google has provided an open-source vulnerability scanner, Tsunami, for large enterprise networks. The scanner is understood to have been used inside Google and was posted on GitHub last month. The “tsunami” will not be Google’s official brand, but will be maintained by the open source community, similar to the way Google first made Kubernetes, another of Google’s internal tools, available to the public.

How the “tsunami” works

There are hundreds of other commercial or open source vulnerability scanners on the market, but the difference with The Tsunami is that it was designed by Google for companies of its own size. This includes companies that manage networks that can have hundreds of thousands of servers, workstations, network devices, and Internet of Things devices connected to the Internet.

Google says it designed the “tsunami” to adapt to these very diverse, very large networks in the first place, without having to run different scanners for each device type.

According to the company, it first breaks down the “tsunami” into two main parts, and then adds a scalable plug-in mechanism to it.

The first component is the scanner itself, the reconnaissance module. The component looks for open ports by scanning the company’s network. Each port is then tested and attempted to identify the exact protocols and services running on each port to prevent the port from being mislabeled, while testing the device for error vulnerabilities. Google points out that the port fingerprint module uses some custom code, although it is based on an industry-tested nmap network mapping engine.

The second build-up is more complex, and it runs on the result of the first build. It takes each device and its exposed ports, selects a list of vulnerabilities to test, and runs a benign vulnerability to check that the device is vulnerable. The vulnerability validation module is also implemented by extending the “tsunami” through plug-ins.

Plug-ins provided by the current “tsunami” version:

Exposed sensitive UI: Applications such as Jenkins, Jupyter, and Hadoop Yarn allow users to schedule workloads or execute system commands with the UI. If these systems are exposed to the network without authentication, an attacker can take advantage of the app’s capabilities to execute malicious commands.

Weak credentials: “Tsunami” uses other open source tools such as ncrack to detect weak passwords for protocols and tools including SSH, FTP, RDP, and MySQL.

Google says it plans to enhance the “tsunami” with new plug-ins in the coming months to detect a wider range of vulnerabilities. All plug-ins will be released through the second GitHub dedicated library.

Project will focus on false positive results

Google said the “tsunami” project will focus on meeting the goals of high-end corporate customers like itself and the conditions for these large multi-device networks.

The accuracy of the scan will be the primary goal, and the project’s focus is on providing as few false positive (i.e. incorrect test) results as possible.

This is important because scanners will run in large networks where even the slightest error discovery can lead to sending incorrect patches to hundreds of devices, which can cause devices, network crashes, wasted hours, and even loss of the company’s bottom line.

In addition, the “tsunami” will expand to support only high-severity vulnerabilities that can be weaponized, rather than focusing on scanning all vulnerabilities, as most vulnerability scanners do today.