IBM fixes Flash?

Some scary headlines today… IBM AppScan Takes Aim at Securing Flash, IBM Targets Adobe Flash Vulnerabilities with New Tool, IBM software scans for security holes in Flash, Ajax, IBM’s AppScan tool adds Adobe Flash, SOA scanning.

The headlines seem to overstate the case, but it looks like not all of the information is publicly published yet.

The AppScan minisite links to a PDF, but their press room doesn’t yet seem to have a press release or FAQ which Adobe participated in. My best guess is that there was a press pre-briefing and embargo which wasn’t backed up by the full release of info. Hard to tell, from my position right now.

Bottom line, IBM’s Rational AppScan is a tool for enterprise to check the content they generate. The recent release adds a lot of “best practices” checking for HTML and SWF, such as averting SQL Injection on HTML formfields, overly-broad cross-domain access or JavaScript-ability for Flash, etc. It helps to reduce the amount of new web content with known authoring vulnerabilities, and has nothing to do with “vulnerabilities” in Flash Player per se.

There are some more informational materials in the pipeline that haven’t made it out yet. I believe the Adobe PSIRT folks will also have info on this whole area of enterprise content-checking. If you get questions about this morning’s press, the best answer may be “Wait just a little for full information to become available, on that useful best-practices validation tool.”

Now, if only we had some way to protect people from vulnerabilities in new headline generation…. 😉

2 Responses to IBM fixes Flash?

  1. VeryVito says:

    As one who spent years working within the framework of IBM “best practices,” particularly as they pertained to SWF pieces generated within the belly of the Big Blue beast, my first reaction to this news can only be: “Bwahahahahahaaaaaa!!!!!! *gasp* hooo-wheeee! Stop! Stop! You’re killing me!!! Hee hee… Hoo boy, that’s rich.”
    [jd sez: uh-oh, you’re going to get me a call from corporate here…. 😉 (I haven’t evaluated the tooling myself; I just reacted to the headlines.) ]

  2. VeryVito says:

    To be fair, I haven’t seen the tool either, and as it seems to focus on enterprise security and how Flash relates to the rest of a site, it’s probably a pretty solid app in reality. But yes — the headlines do invoke panic. My imagination was captured by the idea of the company preaching “how to make flashes” to external designers and content developers. It was late. 🙂