HP Launches Web Security Tool For Flash Developers

The new tool, known as HP SWFScan, is specifically aimed at helping Flash developers detect and monitor increasingly sophisticated security threats, such as cross site scripting and SQL injection attacks, that are often conducted via Flash applications.

Billy Hoffman, HP Web security research group manager, said that the new Web tool addresses a security need left as developers create increasingly complex Flash applications to meet company business requirements or incorporate third party Flash applications on their Web page. Despite their increased sophistication, those same Flash applications often contain copious security holes and open more attack vectors for potential hackers as developers continue to add increased functionality, Hoffman said.

'You have a large number of people flocking into the Web development space that don't necessarily have Web experience," Hoffman said. "Approaching security on a Web app is vastly different than how you approach security on a desktop."

Hoffman said that as one answer to the problem, the new SWFScan security tool allows those same developers to easily and efficiently create secure code without having to become security experts, allowing them more rapidly spot and remediate a wider breadth of potential security threats. "We take a hacker's brain and try to get it into our products," Hoffman said."We're trying to help developers find and fix security defects before these things get into their products."

The new security tool is designed to decompile applications developed on Flash and subsequently perform a comprehensive behavioral analysis to identify security bugs that often aren't readily spotted by more traditional detection methods, Hoffman said. Specifically, the tool allows Flash developers to check for known security vulnerabilities most likely targeted by malicious hackers, including exposed confidential data, cross site scripting and cross domain privilege escalation. It also allows developers to hone directly in on the security problems by alerting them to vulnerabilities in the source code and providing guidance to repair the problems, as well as offering regular best security practice guidelines and updates.

While primarily targeted at Flash developers, Hoffman said that the new tool will likely be used for consulting and auditing purposes as well.

Hoffman said that the decision to offer a free Flash scanning tool was the next step in a logical progression as companies move toward Web 2.0 technologies and applications such as Adobe Flash Platform pose greater security risks to companies' Web environment. And with 98 percent of Internet-connected PCs using Adobe Flash Player, Hoffman said that it was increasingly important to ensure that Flash-based Web applications were secure.

"People are attacking Web applications the way they were attacking desktops," he said. "The browser is no longer a dumb terminal."

Meanwhile, Hoffman said that the exponential rise in SQL injection attacks in 2008 were likely just the beginning of a greater wave of attacks that use Flash to inject malicious code in social networking sites, and other legitimate Web sites.

"We're still seeing (SQL injection attacks) in terms of mass exploitation. New nuances, attacks on social networks through widgets and mash-ups," he said. "You're basically taking content from multiple untrusted sources and loading it in the same page."

"SQL injection isn't going away, and we're going to see a lot more," he added.

The new SWFScan tool is available to the public as a free download directly from HP here.