Earlier this month, I wrote about HP’s new Flash security tool — that tool, now officially called SWFscan (just as I predicted) is out. But there is one surprise, the tool is free.
SWFscan is a tool that decompiles flash code and looks for vulnerabilities.HP security researcher Prajakta Jagdale discussed the tool (then under development and not public) at Black Hat in Washington DC in February.
HP claims that to date it has analyzed nearly 4,000 flash web apps, and surprisingly they found that 35 percent of them had some kind of security issue with them.
The release of SWFscan as a free tool is a good thing, in that it lowers the barriers to entry for developers to understand what they’re doing wrong.
Simple issues like information disclosure and more complex issues like cross site scripting vulnerabilties aren’t always easily caught during a development process – finding those with SWFscan might make the process a whole lot easier.