Yahoo’s developers have open-sourced Gryffin, a security scanner for Web content, specifically designed to cut down the number of false positives and also work at very large scales.
Yahoo has a history of releasing weird open-source projects that eventually become industry favorites. You know, projects like YUI!, Pure, and Hadoop, which were at first considered stray ventures but eventually came to be widely used by many industry players.
This is done by employing PhantomJS to crawl pages and then reproducing them inside a headless browser, looking for known security flaws and attack vectors.
While every such platform aims to achieve low false positive rates, Yahoo also desired to provide a broader coverage and an elastic infrastructure.
“Better coverage translates to fewer false negatives. Inherent scalability translates to capability of scanning, and supporting a large elastic application infrastructure,” says the Yahoo team. “Simply put, the ability to scan 1000 applications today to 100,000 applications tomorrow by straightforward horizontal scaling.”
The platform’s code is available on GitHub, under the regular BSD license that the company has been using for most of its open-sourced projects.
While not a full-blown security scanner like Yahoo’s Gryffin, Netflix’s team open-sourced Skull Puppy, an XSS detector, at the start of the month.