IBM software scans for security holes in Flash, Ajax

IBM announced new software on Wednesday that scans Flash and Ajax-based apps for security problems.

IBM Rational AppScan can automatically scan online applications every 15 minutes to check for security defects that could lead to compromised computers and Internet attacks. Administrators can receive security alerts on their mobile devices as they occur.

The standard version of the product costs $17,550 for a one-year license. The software also supports service oriented architecture applications, IBM said.

More than half of all vulnerabilities disclosed last year were Web applications, according to IBM's X-Force Trend Report.

And Flash seems to get its share of vulnerabilities. The number of Flash vulnerabilities detected in Web applications over the last two years have increased by 300 percent compared with 2005 and 2006, according to the IBM X-Force report.

Adobe Flash Player is on more than 98 percent of Internet connected computers and is used to view 80 percent of the video on the Web, IBM said.

[dascha1]

Um, I don't think it's about security holes but an accessible target in guise really. They are finding things wrong to make a fuss and get some attention. Keep a close eye on this company folks. Desperate times call for desperate measures to them I suppose.

[pentest]

Given that too many amateurs play around with Ajax and Flash, especially Ajax, this is an important project.

[DeclinedDoomed]

Wow, $17,550? Either this is way overpriced, or that's a typo.

[lonestarState]

At $17,000+ not one business is going purchase that "security" scanning software. Sound like a white-collar scam! What a joke! Very funny IBM! Time to file another 1,000 ridiculous patents this year!

[alan_06]

I don't get it. Why scan for 15 minutes? Is is not a one time bug reporting tool so developers can fix it?
If they're scanning for application errors, it's a one time use. If it's a scan for Flash vulnerabilities, why not report to Flash to fix the bug?
Looks like IBM is modelling it's business to make money out of other company product bugs they found.

IBM's first client will likely be Adobe I guess. Too pricey for flash web devleopers. It'll be nice to have a online reseller for this tool who will allow individuals to to check their Flash applications for a small fee.

[didierr]

I recommend a service call GamaSec ( www.gamasec.com) remote online web vulnerability-assessment service that tests web servers, web-interfaced systems and web-based applications against thousands of known vulnerabilities with dynamic testing, and by simulating web-application attacks during online scanning.

The service identifies security vulnerabilities and produces recommended solutions that can fix, or provide a viable workaround to the identified vulnerabilities www.gamasec.com

For a cost of only $600 for one year suscription and reception of monthly reports
So why to pay $17500 + internal recourse if you can have the same services for a lower price?

Another good web security scanning service is Powerfuzzer http://scanner.powerfuzzer.com. Their software was featured in books and numerous websites. Sample report is available on the website, so you can see what it is capable of. They currently have a free scan offer for educational facilities and non-profits.