IBM has released a new version of its AppScan product with new capabilities to scan and test Adobe Flash and Flex applications for vulnerabilities. The tool can also be used to test AJAX technology. IBM says the goal is to help developers better secure dynamic, Web 2.0 sites.
IBM Rational has updated its AppScan tool to offer developers a
helping hand in finding vulnerabilities in their Adobe Flash
With AppScan Standard Edition 7.8, IBM has added the ability to not
only test and scan Flash apps but also SOA (service oriented architecture) applications and AJAX technology.
The enhancements come as hackers continue to target Web 2.0 sites
their wares. According to research by IBM's X-Force, more than half of
all vulnerabilities disclosed last year were tied to Web applications,
and of those, more than 74 percent had no patch.
"As business move to more dynamic, personalized Web presences [that
are] enabled via Web 2.0 and SOA technologies, there is a need to be
more vigilant in managing compliance and security vulnerabilities,"
said David Grant, director of security and compliance solutions, IBM
Rational. "In particular, Adobe Flash, which is now present on 98
percent of desktops, introduces new security and compliance risks."
The new AppScan tool tests for a number of vulnerabilities in Flash
and Flex applications, including cross-site flashing, cross-site
scripting, Flash parameter injection and misconfiguration. With Flash
files, AppScan first determines all the entry points, such as flash
variables, query string parameters and uninitiated global variables,
and locates potentially dangerous code. It then mutates the input
values to determine whether the Flash files are vulnerable, explained
David Allan, director of security research at IBM Rational.
"For Flex applications, AppScan will parse the ActionScript Message
Format (AMF) and apply tuned payloads to uncover vulnerabilities such
as SQL injection, buffer overflows and session fixation," he said.
"Lastly, AppScan will also look at the server configuration...to
determine if there are overly permissive settings that may allow an
attacker to compromise the application."
IBM has also built in new risk assessment capabilities with the
inclusion of CVSS (Common Vulnerability Scoring System) scores. They
have also new production monitoring functionality in AppScan OnDemand
to allow companies to find and fix problems more readily. Security
alerts can also be sent to mobile devices as they occur, allowing
customers to immediately fix vulnerabilities before they become
noncompliant, IBM officials said.
"What is different is the fact that we now have an offering for
monitoring live production Web applications via a SAAS approach," Grant
explained. "Previously, organizations were reluctant to test live
applications due to the potential of damage, but with this new offering
we have eliminated that issue."