Insecure Adobe Flash applications have been targeted by hackers looking to compromise Web 2.0 sites. But while Flash security is a popular topic of discussion, the most common vulnerabilities associated with Flash apps are due to general programming errors we should all avoid.
With hackers increasingly targeting Web 2.0 sites, knowing how to develop secure
Adobe Flash applications
can be a difference maker when it comes to
avoiding mass compromises.
It is not surprising then that some are calling for developers to pay closer
attention to Flash security. IBM,
just enhanced its AppScan tool to add the ability to test and
scan Flash applications.
At the ShmooCon 2009 conference in Washington,
D.C., Hewlett-Packard's Prajakta Jagdale
used her presentation Feb. 7 to focus on common vulnerabilities in Flash
. In her research, Jagdale found that many developers leave, for
example, uninitialized variables that leave applications open to cross-site
But as she noted in an interview prior to the conference, many of the
input validation to having user name passwords hard-coded inside of the client
code-are not exclusive to Flash.
"These are the general principles that are security principles that are
applicable to any sort of technology language," said Jagdale, research engineer
with the HP Web Security Research Group.
Earlier this year, the SANS Institute teamed with a number of experts to
produce a list of the top 25 most dangerous programming errors. That effort
involved people from more than 30 organizations, including Symantec, McAfee and
The idea was that publicizing a list of the most common problems will cause
buyers to exert more pressure on software vendors to certify that their code is
free from those errors.
The certification, the authors contend, would put responsibility for the
errors and any damage they cause in the hands of the software vendor.
"There appears to be broad agreement on the programming errors,"
SANS Institute Director Mason Brown said at the time in a prepared statement.
"Now it is time to fix them. First we need to make sure every programmer
knows how to write code that is free of the Top 25 errors, and then we need to
make sure every programming team has processes in place to find, fix, or avoid
these problems and has the tools needed to verify their code is as free of
these errors as automated tools can verify."
Whether or not buyers actually start to put pressure on
vendors, avoiding common mistakes like the ones on the list or those
mentioned by Jagdale protects us all in the long run. Certainly, there is no
shortage of sources out there for information regarding best practices. Adobe,
for example, offers a number of resources for developers looking for
guidance on creating secure applications, Jagdale noted.
"All these recommendations are provided by the vendor ... and whenever
developers start developing any applications they should make sure they read
the recommendations there," she said.