Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/23/2009
03:33 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

HP Offers Free Web Security Tool

HP SWFScan helps Flash developers protect their Websites against unintended application security vulnerabilities and reduce the risk of hackers accessing sensitive data

PALO ALTO, Calif., March 23, 2009 " HP today announced HP SWFScan, a free tool to help Flash developers protect their websites against unintended application security vulnerabilities and reduce the risk of hackers accessing sensitive data.

As companies modernize their applications to give users a better experience online, they are moving to Web 2.0 technologies, including the Adobe' Flash' Platform. With Adobe Flash Player installed on more than 98 percent of Internet-connected PCs worldwide, it is imperative that web applications built with Flash technology are developed securely.

HP SWFScan allows Flash developers to deliver more secure code without becoming security experts. The tool is the first of its kind to decompile applications developed with the Flash Platform and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not detectable with traditional dynamic methods. With HP SWFScan, Flash developers can:

  • Check for known security vulnerabilities that are targeted by malicious hackers. This includes unprotected confidential data, cross-site scripting, cross-domain privilege escalation, and user input that does not get validated.

  • Fix problems quickly by highlighting vulnerabilities in the source code and receiving solid guidance on how to fix the security issues.

  • Verify conformance with best security practices and guidelines.

    "The Adobe Flash Platform is being used more and more by large media companies and for business-critical applications. We are working with HP to make sure developers have tools to help secure content and keep customers safe," said Brad Arkin, product security and privacy director, Secure Software Engineering Team, Adobe. "We worked with HP on their SWFScan tool, which will help Flash developers find potential security issues early in the development process so they can understand and prevent problems before web applications are ever deployed." Find, fix and prevent security vulnerabilities An example of the types of security vulnerabilities HP SWFScan can prevent is leaving confidential information accessible to hackers. Flash developers often create an unintentional vulnerability by encoding access information such as passwords, encryption keys or database information directly into their applications. This video demonstrates how hackers can exploit this vulnerability. HP analyzed almost 4,000 web applications developed with Flash software and found that 35 percent violate Adobe security best practices. Hackers can exploit this situation to circumvent security measures and gain unfettered access to sensitive information. HP SWFScan helps developers find and correct these problems before they become an issue.

    "Applications developed with Flash technologies are no more immune to security vulnerabilities than any other web applications," said Joseph Feiman, vice president and fellow, Gartner. "Giving Flash developers the ability to check whether their code is secure, providing guidance on how to fix it, and offering best secure-programming practices will help to protect businesses and their customers from hackers."

    The HP Web Security Research Group, which developed SWFScan, includes many renowned experts in the security field. The group tracks web-related security threats and develops new technology to help IT professionals eliminate application security vulnerabilities. The results of the group's research are incorporated into HP Application Security Center, a suite of products that allows customers to find, fix and prevent these vulnerabilities across the application life cycle.

    HP Application Security Center includes the HP Assessment Management Platform as the foundation of the solution, and features HP DevInspect software for developers, HP QAInspect software for quality assurance teams and HP WebInspect software for operations and security experts. "As organizations modernize their applications with Web 2.0 technology, they must be vigilant about preventing malicious hacker attacks and eliminating software defects of a security nature," said Jonathan Rende, general manager and vice president, Products, Software and Solutions, HP. "HP continues to help make the web a safer place by turning our security research into solutions for customers to protect their applications, their websites and their sensitive information."

    A free download of HP SWFScan is available at www.hp.com/go/swfscan.

    About HP HP, the world's largest technology company, simplifies the technology experience for consumers and businesses with a portfolio that spans printing, personal computing, software, services and IT infrastructure. More information about HP (NYSE: HPQ) is available at http://www.hp.com/. Note to editors: More news from HP, including links to RSS feeds, is available at http://www.hp.com/hpinfo/newsroom/.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
    Seth Rosenblatt, Contributing Writer,  1/11/2021
    IoT Vendor Ubiquiti Suffers Data Breach
    Dark Reading Staff 1/11/2021
    The Data-Centric Path to Zero Trust
    Altaz Valani, Director of Insights Research, Security Compass,  1/13/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-7343
    PUBLISHED: 2021-01-18
    Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
    CVE-2020-28476
    PUBLISHED: 2021-01-18
    All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
    CVE-2020-28473
    PUBLISHED: 2021-01-18
    The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
    CVE-2021-25173
    PUBLISHED: 2021-01-18
    An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
    CVE-2021-25174
    PUBLISHED: 2021-01-18
    An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).