IBM fixes Flash?

Some scary headlines today… IBM AppScan Takes Aim at Securing Flash, IBM Targets Adobe Flash Vulnerabilities with New Tool, IBM software scans for security holes in Flash, Ajax, IBM’s AppScan tool adds Adobe Flash, SOA scanning.

The headlines seem to overstate the case, but it looks like not all of the information is publicly published yet.

The AppScan minisite links to a PDF, but their press room doesn’t yet seem to have a press release or FAQ which Adobe participated in. My best guess is that there was a press pre-briefing and embargo which wasn’t backed up by the full release of info. Hard to tell, from my position right now.

Bottom line, IBM’s Rational AppScan is a tool for enterprise to check the content they generate. The recent release adds a lot of “best practices” checking for HTML and SWF, such as averting SQL Injection on HTML formfields, overly-broad cross-domain access or JavaScript-ability for Flash, etc. It helps to reduce the amount of new web content with known authoring vulnerabilities, and has nothing to do with “vulnerabilities” in Flash Player per se.

There are some more informational materials in the pipeline that haven’t made it out yet. I believe the Adobe PSIRT folks will also have info on this whole area of enterprise content-checking. If you get questions about this morning’s press, the best answer may be “Wait just a little for full information to become available, on that useful best-practices validation tool.”

Now, if only we had some way to protect people from vulnerabilities in new headline generation…. ;-)