IBM Targets Adobe Flash Vulnerabilities with New Tool

IBM has released a new version of its AppScan product with new capabilities to scan and test Adobe Flash and Flex applications for vulnerabilities. The tool can also be used to test AJAX technology. IBM says the goal is to help developers better secure dynamic, Web 2.0 sites.

IBM Rational has updated its AppScan tool to offer developers a helping hand in finding vulnerabilities in their Adobe Flash applications.

With AppScan Standard Edition 7.8, IBM has added the ability to not only test and scan Flash apps but also SOA (service oriented architecture) applications and AJAX technology.

The enhancements come as hackers continue to target Web 2.0 sites with their wares. According to research by IBM's X-Force, more than half of all vulnerabilities disclosed last year were tied to Web applications, and of those, more than 74 percent had no patch.

"As business move to more dynamic, personalized Web presences [that are] enabled via Web 2.0 and SOA technologies, there is a need to be more vigilant in managing compliance and security vulnerabilities," said David Grant, director of security and compliance solutions, IBM Rational. "In particular, Adobe Flash, which is now present on 98 percent of desktops, introduces new security and compliance risks."

The new AppScan tool tests for a number of vulnerabilities in Flash and Flex applications, including cross-site flashing, cross-site scripting, Flash parameter injection and misconfiguration. With Flash files, AppScan first determines all the entry points, such as flash variables, query string parameters and uninitiated global variables, and locates potentially dangerous code. It then mutates the input values to determine whether the Flash files are vulnerable, explained David Allan, director of security research at IBM Rational.

"For Flex applications, AppScan will parse the ActionScript Message Format (AMF) and apply tuned payloads to uncover vulnerabilities such as SQL injection, buffer overflows and session fixation," he said. "Lastly, AppScan will also look at the server determine if there are overly permissive settings that may allow an attacker to compromise the application."

IBM has also built in new risk assessment capabilities with the inclusion of CVSS (Common Vulnerability Scoring System) scores. They have also new production monitoring functionality in AppScan OnDemand to allow companies to find and fix problems more readily. Security alerts can also be sent to mobile devices as they occur, allowing customers to immediately fix vulnerabilities before they become noncompliant, IBM officials said.

"What is different is the fact that we now have an offering for monitoring live production Web applications via a SAAS approach," Grant explained. "Previously, organizations were reluctant to test live applications due to the potential of damage, but with this new offering we have eliminated that issue."