HP today announced HP SWFScan, a free tool to help Flash developers protect their websites against unintended application security vulnerabilities and reduce the risk of hackers accessing sensitive data.
As companies modernize their applications to give users a better experience online, they are moving to Web 2.0 technologies, including the Adobe Flash Platform. With Adobe Flash Player installed on more than 98 percent of Internet-connected PCs worldwide, it is imperative that web applications built with Flash technology are developed securely.
HP SWFScan allows Flash developers to deliver more secure code without becoming security experts. The tool is the first of its kind to decompile applications developed with the Flash Platform and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not detectable with traditional dynamic methods.
With HP SWFScan, Flash developers can:
- Check for known security vulnerabilities that are targeted by malicious hackers. This includes unprotected confidential data, cross-site scripting, cross-domain privilege escalation, and user input that does not get validated.
- Fix problems quickly by highlighting vulnerabilities in the source code and receiving solid guidance on how to fix the security issues.
- Verify conformance with best security practices and guidelines.
“The Adobe Flash Platform is being used more and more by large media companies and for business-critical applications. We are working with HP to make sure developers have tools to help secure content and keep customers safe,” said Brad Arkin, product security and privacy director, Secure Software Engineering Team, Adobe.
“We worked with HP on their SWFScan tool, which will help Flash developers find potential security issues early in the development process so they can understand and prevent problems before web applications are ever deployed.”
Find, fix and prevent security vulnerabilities
An example of the types of security vulnerabilities HP SWFScan can prevent is leaving confidential information accessible to hackers. Flash developers often create an unintentional vulnerability by encoding access information such as passwords, encryption keys or database information directly into their applications. This video demonstrates how hackers can exploit this vulnerability.
HP analyzed almost 4,000 web applications developed with Flash software and found that 35 percent violate Adobe security best practices. Hackers can exploit this situation to circumvent security measures and gain unfettered access to sensitive information. HP SWFScan helps developers find and correct these problems before they become an issue.
“Applications developed with Flash technologies are no more immune to security vulnerabilities than any other web applications,” said Joseph Feiman, vice president and fellow, Gartner. “Giving Flash developers the ability to check whether their code is secure, providing guidance on how to fix it, and offering best secure-programming practices will help to protect businesses and their customers from hackers.”
The HP Web Security Research Group, which developed SWFScan, includes many renowned experts in the security field. The group tracks web-related security threats and develops new technology to help IT professionals eliminate application security vulnerabilities. The results of the group’s research are incorporated into HP Application Security Center, a suite of products that allows customers to find, fix and prevent these vulnerabilities across the application life cycle.
HP Application Security Center includes the HP Assessment Management Platform as the foundation of the solution, and features HP DevInspect software for developers, HP QAInspect software for quality assurance teams and HP WebInspect software for operations and security experts.
“As organizations modernize their applications with Web 2.0 technology, they must be vigilant about preventing malicious hacker attacks and eliminating software defects of a security nature,” said Jonathan Rende, general manager and vice president, Products, Software and Solutions, HP. “HP continues to help make the web a safer place by turning our security research into solutions for customers to protect their applications, their websites and their sensitive information.”
A free download of HP SWFScan is available at www.hp.com/go/swfscan.