Hewlett Packard launched a free Web security scanning tool Monday specifically geared to help Flash developers protect their Web sites against malicious security threats and reduce the risk of hackers accessing sensitive data.
The new tool, known as HP SWFScan, is specifically aimed at helping Flash developers detect and monitor increasingly sophisticated security threats, such as cross site scripting and SQL injection attacks, that are often conducted via Flash applications.
Billy Hoffman, HP Web security research group manager, said that the new Web tool addresses a security need left as developers create increasingly complex Flash applications to meet company business requirements or incorporate third party Flash applications on their Web page. Despite their increased sophistication, those same Flash applications often contain copious security holes and open more attack vectors for potential hackers as developers continue to add increased functionality, Hoffman said.
'You have a large number of people flocking into the Web development space that don't necessarily have Web experience," Hoffman said. "Approaching security on a Web app is vastly different than how you approach security on a desktop."
Hoffman said that as one answer to the problem, the new SWFScan security tool allows those same developers to easily and efficiently create secure code without having to become security experts, allowing them more rapidly spot and remediate a wider breadth of potential security threats. "We take a hacker's brain and try to get it into our products," Hoffman said."We're trying to help developers find and fix security defects before these things get into their products."
The new security tool is designed to decompile applications developed on Flash and subsequently perform a comprehensive behavioral analysis to identify security bugs that often aren't readily spotted by more traditional detection methods, Hoffman said. Specifically, the tool allows Flash developers to check for known security vulnerabilities most likely targeted by malicious hackers, including exposed confidential data, cross site scripting and cross domain privilege escalation. It also allows developers to hone directly in on the security problems by alerting them to vulnerabilities in the source code and providing guidance to repair the problems, as well as offering regular best security practice guidelines and updates.
While primarily targeted at Flash developers, Hoffman said that the new tool will likely be used for consulting and auditing purposes as well.
Hoffman said that the decision to offer a free Flash scanning tool was the next step in a logical progression as companies move toward Web 2.0 technologies and applications such as Adobe Flash Platform pose greater security risks to companies' Web environment. And with 98 percent of Internet-connected PCs using Adobe Flash Player, Hoffman said that it was increasingly important to ensure that Flash-based Web applications were secure.
"People are attacking Web applications the way they were attacking desktops," he said. "The browser is no longer a dumb terminal."
Meanwhile, Hoffman said that the exponential rise in SQL injection attacks in 2008 were likely just the beginning of a greater wave of attacks that use Flash to inject malicious code in social networking sites, and other legitimate Web sites.
"We're still seeing (SQL injection attacks) in terms of mass exploitation. New nuances, attacks on social networks through widgets and mash-ups," he said. "You're basically taking content from multiple untrusted sources and loading it in the same page."
"SQL injection isn't going away, and we're going to see a lot more," he added.
The new SWFScan tool is available to the public as a free download directly from HP here.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
