As companies modernize their applications to give users a better experience online, they are moving to Web 2.0 technologies, including the Adobe® Flash® Platform. With Adobe Flash Player installed on more than 98 percent of Internet-connected PCs worldwide, it is imperative that web applications built with Flash technology are developed securely.
HP SWFScan allows Flash developers to deliver more secure code without becoming security experts. The tool is the first of its kind to decompile applications developed with the Flash Platform and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not detectable with traditional dynamic methods.
With HP SWFScan, Flash developers can:
- Check for known security vulnerabilities that are targeted by malicious hackers. This includes unprotected confidential data, cross-site scripting, cross-domain privilege escalation, and user input that does not get validated.
- Fix problems quickly by highlighting vulnerabilities in the source code and receiving solid guidance on how to fix the security issues.
- Verify conformance with best security practices and guidelines.
“The Adobe Flash Platform is being used more and more by large media companies and for business-critical applications. We are working with HP to make sure developers have tools to help secure content and keep customers safe,” said Brad Arkin, product security and privacy director, Secure Software Engineering Team, Adobe. “We worked with HP on their SWFScan tool, which will help Flash developers find potential security issues early in the development process so they can understand and prevent problems before web applications are ever deployed.”
Find, fix and prevent security vulnerabilities
An example of the types of security vulnerabilities HP SWFScan can prevent is leaving confidential information accessible to hackers. Flash developers often create an unintentional vulnerability by encoding access information such as passwords, encryption keys or database information directly into their applications. This video demonstrates how hackers can exploit this vulnerability.
HP analyzed almost 4,000 web applications developed with Flash software and found that 35 percent violate Adobe security best practices. Hackers can exploit this situation to circumvent security measures and gain unfettered access to sensitive information. HP SWFScan helps developers find and correct these problems before they become an issue.
“Applications developed with Flash technologies are no more immune to security vulnerabilities than any other web applications,” said Joseph Feiman, vice president and fellow, Gartner. “Giving Flash developers the ability to check whether their code is secure, providing guidance on how to fix it, and offering best secure-programming practices will help to protect businesses and their customers from hackers.”
The HP Web Security Research Group, which developed SWFScan, includes many renowned experts in the security field. The group tracks web-related security threats and develops new technology to help IT professionals eliminate application security vulnerabilities. The results of the group’s research are incorporated into HP Application Security Center, a suite of products that allows customers to find, fix and prevent these vulnerabilities across the application life cycle.
HP Application Security Center includes the HP Assessment Management Platform as the foundation of the solution, and features HP DevInspect software for developers, HP QAInspect software for quality assurance teams and HP WebInspect software for operations and security experts.
“As organizations modernize their applications with Web 2.0 technology, they must be vigilant about preventing malicious hacker attacks and eliminating software defects of a security nature,” said Jonathan Rende, general manager and vice president, Products, Software and Solutions, HP. “HP continues to help make the web a safer place by turning our security research into solutions for customers to protect their applications, their websites and their sensitive information.”
A free download of HP SWFScan is available at www.hp.com/go/swfscan.
About HP
HP, the world’s largest technology company, simplifies the technology experience for consumers and businesses with a portfolio that spans printing, personal computing, software, services and IT infrastructure. More information about HP is available at http://www.hp.com/.
Note to editors: More news from HP, including links to RSS feeds, is available at http://www.hp.com/hpinfo/newsroom/.
Adobe is a trademark of Adobe Systems Incorporated.
This news release contains forward-looking statements that involve
risks, uncertainties and assumptions. If such risks or uncertainties
materialize or such assumptions prove incorrect, the results of HP and
its consolidated subsidiaries could differ materially from those
expressed or implied by such forward-looking statements and assumptions.
All statements other than statements of historical fact are statements
that could be deemed forward-looking statements, including but not
limited to statements of the plans, strategies and objectives of
management for future operations; any statements concerning expected
development, performance or market share relating to products and
services; any statements regarding anticipated operational and financial
results; any statements of expectation or belief; and any statements of
assumptions underlying any of the foregoing. Risks, uncertainties and
assumptions include macroeconomic and geopolitical trends and events;
the execution and performance of contracts by HP and its customers,
suppliers and partners; the achievement of expected operational and
financial results; and other risks that are described in HP’s Quarterly
Report on Form 10-Q for the fiscal quarter ended January 31, 2009
and HP’s other filings with the Securities and Exchange Commission,
including but not limited to HP’s Annual Report on Form 10-K for the
fiscal year ended October 31, 2008. HP assumes no obligation and does
not intend to update these forward-looking statements.