This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

SCC premium does not work with Firebase?? Interesting

Posted on 10-30-2024 12:53 AM
dheerajpanyam
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

We did all the hard work in setting up a GCP org , moving all standalone projects under the Org just to run SCC premium scan on our App and guess what??? Our App is deployed across Firebase hosting (for front end)  and also on GKE (for backend) . When i tried to setup web security answer , i got error below seems like a lot of restrictions with static IP etc just to run the scans . Firebase is also from Google if i am not wrong. Is there no way to run scan for my App?

Screenshot 2024-10-30 at 1.19.40 PM.png

0 4 435
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

Hi @dheerajpanyam.  In this scenario, does the starting URL for the scan actually map to a reserved, static address in the same project?  This is a strict requirement of the Web Security Scanner component. 

If it actually is mapped to one, can you also verify whether or not there are AAAA (IPv6) records in DNS for the same starting URL?  Ie, does the starting FQDN resolve as both A (IPv4) and AAAA (IPv6) records?

Posted on --/--/---- --:-- AM
dheerajpanyam
Silver 4
Silver 4
In response to vaskenh
Reply posted on --/--/---- --:-- AM

Hello @vaskenh Our app is split across several GCP services. As i mentioned Firebase hosting for frontend and GKE + CR for backend.  From what i know Firebase hosting returns a CNAME record that i need to add in my DNS provider. There is no way i can get a static IP 😀 with Firebase hosting since the IP address comes from a predefined IP pool and I would not have any control over it.

0 Likes

Posted on --/--/---- --:-- AM
andras
Staff
In response to dheerajpanyam
Reply posted on --/--/---- --:-- AM

Hello @dheerajpanyam, i believe this would not work by default due to the nature of the dynamically assigned IP as you mentioned. WSS today requires to be applied against domains with static ip assigned to them. The following link shows a few details on the target restrictions WSS is working with

https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview#target_...

In regards of potential solutions i don't have anything official or tested at this point from my side but i was wondering if you could make this working by adding a cloud application load balancing service in front of your hosted App, treating the App as the backend service for the load balancer, assigning a static ip for the load balancer and pointing WSS against the Load Balancer's IP. Please note this is only in theory and it may not work and just an idea to investigate further and i also understand this could introduce added complexity and cost and just trying to bounce some ideas around 🙂

Another alternative option i could think of is using an Attack Surface Management solution (ASM) which can cover some of the challenges you are trying to address

https://cloud.google.com/blog/products/identity-security/attack-surface-management/

 

Posted on --/--/---- --:-- AM
dheerajpanyam
Silver 4
Silver 4
In response to andras
Reply posted on --/--/---- --:-- AM

Thanks much @andras  I shall look at the options you provided.

Top Solution Authors
View all