HP analyzed almost 4,000 web applications developed with Flash software and found that 35 percent violate Adobe security best practices. Hackers can exploit this situation to circumvent security measures and gain unfettered access to sensitive information.
HP has announced HP SWFScan, a free tool to help Flash developers protect their websites against application security vulnerabilities and reduce the risk of hackers accessing sensitive data.
HP SWFScan allows Flash developers to deliver more secure code without becoming security experts. The tool claims to be a first of its kind to decompile applications developed with the Flash Platform and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not detectable with traditional dynamic methods.
With HP SWFScan, Flash developers can:
- Check for known security vulnerabilities that are targeted by malicious hackers. This includes unprotected confidential data, cross-site scripting, cross-domain privilege escalation, and user input that does not get validated.
- Fix problems quickly by highlighting vulnerabilities in the source code and receiving solid guidance on how to fix the security issues.
- Verify conformance with best security practices and guidelines.
HP SWFScan FAQ says that it supports all public versions of Flash. In other words, up to and including Flash 10, though as long as SWF uses ActionScript 2 or ActionScript 3 SWFScan should continue to work..
A free download of HP SWFScan is available at www.hp.com/go/swfscan.