IBM AppScan Takes Aim at Securing Flash

Adobe’s Flash is pervasive across the Web for video and other types of multimedia content. But Flash is also a technology that can potentially be abused by hackers, a problem that IBM’s Rational unit is hoping to prevent with the new version of its AppScan application vulnerability scanning technology.

The new AppScan 7.8 release is geared specifically to deal with emerging threats from Web applications, many of which today rely on Flash and AJAX .

The update comes as Web apps continue growing in popularity for consumers and enterprises — bringing with them the heightened potential for danger, thanks to security holes in those applications. The new AppScan release comes on the heels of an IBM report that claimed nearly 55 percent of all vulnerability disclosures in 2008 involved off-the-shelf Web applications.

“The next generation of Web applications are introducing new issues, like the pervasive use of Flash,” David Grant, director of security and compliance solutions at IBM Rational, told “Whereas before it used to be for brochureware and content, Flash is now being used for business applications. These new application are introducing new vulnerabilities that hackers can compromise.”

The AppScan 7.8 release is the first major update to the AppScan product lineup since November 2007. IBM acquired the AppScan product portfolio as part of the acquisition of security vendor Watchfire in June of that year.

With AppScan 7.8, the focus is on a wide array of Flash applications including Flash video files (.flv) as well as Adobe Flex and Adobe AIR applications that run Flash.

Danny Allan, director of security research at IBM Rational, added that there are application vulnerabilities associated with going back and forth in the AMF (ActionScript Message Format) format — the core protocol used by Flex to communicate with a backend server — that could lead to SQL injection or buffer overflows. The AppScan 7.8 scanning engine can scan a Web application for potential AMF and other Flash related vulnerabilities to help developers and security professionals identify and mitigate security issues.

Though Allan claimed that AppScan 7.8 will test anything that will run in Adobe Flex, Adobe AIR as well as content what will run in a Flash player, there is still one key missing piece — the actual Flash Player itself.

Adobe routinely patches its Flash Player application for security vulnerabilities. But a user that is not using the most up-to-date version could still be at risk from security issues, a problem that IBM intends to figure out.

“IBM Rational is looking at cross-site scripting and AMF-type injection that are in the Flash application rather than look at the Flash Player,” Allan said.

Still, Allan added that IBM is doing a significant amount of research on the topic of figuring out how to properly secure the client side of application delivery in general, and not just Flash.

“If you think about a client that has a Trojan on their machine, the application is at risk because of that Trojan,” Allan said. “There is a real weakness that cannot be controlled on the server side, and that is whether or not the client is compromised.”

[cob:Special_Report]Allan admitted that the lack of visibility into the client side is a current weakness, though he said that over the next two years, there will be an increased focus on figuring out how to secure it as well.

One of the other issues emerging as both a Web application and a client-side problem is the issue of “clickjacking.” In a clickjacking attack, a hacker hides a button behind another, legitimate button, so that a user’s click generates an unintended action. That action could lead to an information disclosure loss, as the attacker could potentially use it to get the user’s login credentials.

Currently, there are two principal approaches for dealing with clickjacking from the Web side, and each relies on a technique called “framebusting.” The technique ensures that sensitive content, such as a login box, cannot be broken out of a site and placed into a hidden frame on another site. There is a JavaScript-based framebusting approach, while there is also an approach that relies on the HTTP response header named X-FRAME-OPTIONS, a tactic used by Microsoft’s IE 8. Allan claimed that AppScan 7.8 includes support for both approaches.

With the AppScan 7.8 release, IBM Rational is also rolling out a new SaaS-based live production server testing tool called IBM’s Rational AppScan OnDemand. Allan noted that OnDemand offering will not be intrusive enough to impact the performance of a live server. Security scanning vendor Cenzic uses a different approach for live server scanning by using VMware-based virtualization to take a snapshot of a live server, and tests against the snapshot.

Allan countered that IBM Rational also has utilized virtualization to help test production environments.

“Testing virtualized environments versus non-virtualized environments … really doesn’t make a difference from a test perspective,” he said.

News Around the Web