HP tool checks Flash apps for common security flaws

Stephen Withers
Tuesday, 24 March 2009 09:01

IT Industry - Development

A new free tool from Hewlett-Packard tests Flash applications for a variety of security vulnerabilities.

Flash is - for better or worse - becoming an increasingly common part of corporate and media web sites as their operators seek to step up levels of interactivity.

Generalisations are always dangerous, but it's probably fair to say that the typical Flash developer doesn't have a background that would lead him or her to keep security in mind while producing an application.

"As organizations modernize their applications with Web 2.0 technology, they must be vigilant about preventing malicious hacker attacks and eliminating software defects of a security nature," said Jonathan Rende, HP's general manager and vice president, products, software and solutions.

Developed by HP's web security research group, the free SWFScan utility decompiles Flash applications and carries out static analysis to identify potentially dangerous practices.

It then provides guidance on fixing the problems detected, highlighting the relevant part of the source code.

Examples of the issues detected by SWFScan include unprotected confidential data (eg, hard-coded passwords, encryption keys or database information), cross-site scripting, cross-domain privilege escalation, and non-validated user input.

"The Adobe Flash Platform is being used more and more by large media companies and for business-critical applications. We are working with HP to make sure developers have tools to help secure content and keep customers safe," said Brad Arkin, product security and privacy director, Secure Software Engineering Team, Adobe.

"We worked with HP on their SWFScan tool, which will help Flash developers find potential security issues early in the development process so they can understand and prevent problems before web applications are ever deployed," he added.

SWFScan can be downloaded from HP's web site.