14 DAY TRIAL // Yahoo's developers have open-sourced Gryffin, a security scanner for Web content, specifically designed to cut down the number of false positives and also work at very large scales.
Yahoo has a history of releasing weird open-source projects that eventually become industry favorites. You know, projects like YUI!, Pure, and Hadoop, which were at first considered stray ventures but eventually came to be widely used by many industry players.
Yahoo's most recent release of this type is Gryffin, a Go & JavaScript platform that allows system administrators to scan URLs for dangerous content and common vulnerabilities like SQL injection and cross-site scripting (XSS).
This is done by employing PhantomJS to crawl pages and then reproducing them inside a headless browser, looking for known security flaws and attack vectors.
While every such platform aims to achieve low false positive rates, Yahoo also desired to provide a broader coverage and an elastic infrastructure.
"Better coverage translates to fewer false negatives. Inherent scalability translates to capability of scanning, and supporting a large elastic application infrastructure," says the Yahoo team. "Simply put, the ability to scan 1000 applications today to 100,000 applications tomorrow by straightforward horizontal scaling."
"At Yahoo, we're committed to protecting our users' security, and enabling a security ecosystem that helps protect users across the internet. We've developed Gryffin, a large-scale security scanning platform, to scan URLs and identify source code vulnerabilities early in the software development lifecycle," a Yahoo spokesperson told Softpedia.
"We shared the Gryffin code on GitHub to seek feedback from developers and share the technology with and for the general public. We are strong supporters of open source, and believe that online security should not be a competitive advantage; everyone deserves access to available security tools, and the opportunity to collaborate to improve them."
The platform's code is available on GitHub, under the regular BSD license that the company has been using for most of its open-sourced projects.
While not a full-blown security scanner like Yahoo's Gryffin, Netflix's team open-sourced Skull Puppy, an XSS detector, at the start of the month.