Google releases Ratproxy security assessment tool

Google is continuing its incursion into the security world with the release of its passive Web-application security assessment tool, Ratproxy. The tool differs from most of the other Web app security tools in that it does not actively crawl applications looking for common security problems. Instead, it passively monitors the interactions between a browser and Web applications, and is specifically designed to look for problems with Web 2.0 apps. The implied advantage to this approach being that Ratproxy can be launched against production systems without having to worry about it crashing the applications with too much traffic. Google’s documentation for the proxy, which is being released as an open source application, has more detail:

Ratproxy implements a number of fairly advanced and unique checks based on our experience with these applications, as well as all the related browser quirks and content handling oddities. It features a sophisticated content-sniffing functionality capable of distinguishing between stylesheets and Javascript code snippets, supports SSL man-in-the-middle, on the fly Flash ActionScript decompilation, and even offers an option to confirm high-likelihood flaw candidates with very lightweight, a built-in active testing module.

The proxy is designed to support Windows, Linux, FreeBSD and Mac environments.