HP Rolls WebInspect 8.0 for Flash Security

HP is expanding its security solutions with new Web 2.0, user behavior and Flash analysis capabilities. There is also a new management tool being released by HP to help enterprises mitigate risks and manage application security testing efforts.

The security efforts from HP (NYSE:HPQ) come as studies continue to show that application security is a large enterprise concern. A new study from Forrester, (sponsored by HP competitor Vericode) claims that 62 percent of companies had been breached by way of a software vulnerability in the last 12 months.

“We’ve seen a huge market shift in the last 12 months,” Nick Bell, Senior Manager, Products, Application Security, Software and Solutions at HP told InternetNews.com. “People used to ask us why they needed application security testing, now customers ask us how to actually do application security.”

Bell added that Web 2.0 is a big driver for application security, which is a key focus of the computer giant’s new WebInspect 8.0 product.

“The new complexity of applications and the shifting of more business logic and data out to the client has increased the attack surface for hackers, said Bell.

Vulnerabilities in Flash

A key addition in WebInspect 8.0 is SWFscan, which is an HP developed technology for analyzing vulnerabilities in Adobe Flash applications. HP first discussed SWFscan at the Black Hat conference in Washington D.C earlier this year and made the base product freely available last month.

HP’s security tools division in part comes from the acquisition of SPI Dynamics in 2007. In adding detailed Flash analysis, HP follows at least one of SPI Dynamics traditional competitors. WatchFire (now owned by IBM) released a new version of its AppScan platform with Flash scanning earlier this year.

The new WebInspect 8.0 platform also performs deeper JavaScript analysis. Jeff Morgan, Enterprise Product Manager, Application Security, Software and Solutions at HP explained that HP is now exercising the JavaScript just like the user would. Morgan argued that application behavior can change once a user starts running a program and actually clicks on items. As such, WebInspect can now find vulnerabilities as the web application changes once it starts running and interacting with users.

Morgan explained that HP brings in the JavaScript client side code as it is executed and then performs a static analysis on it as it is being used.

Penetration testing tools

In terms of new specific types of attacks that WebInspect 8.0 is able to detect, Morgan decline to offer a laundry list of functionality. Other penetration testing tools, like the one from HP competitor Cenzic, which was recently updated, make a point of listing new attacks as they become available.

For example, the latest Cenzic ClickToSecure 5.9 release included new detection mechanisms for ClickJacking, Frame Injection and JavaScript highjacking. Cenzic and HP were involved in a patent dispute which was settled back in 2007.

“I’ve seen some other announcements lately about vendors doing one check or another,” Morgan commented. “A lot of what we’re talking about in this new release is about a brand new approach to understanding vulnerabilities. That’s where people are finding the vulnerabilities in the richness of the apps that are coming across. We’re looking beyond the individual check to make sure we understand where the hackers find vulnerabilities.”

News Around the Web