> This one is for all the RIA developers on the list. I haven't really seen > secure coding > widely addressed here but was hoping someone had knowledge that could get me > started. > > I'm leading effort to develop flash coding standards in corporate environment > so there > are fewer (or no) security risks and so there's a knowledge base of what to > look for. I > gather that this is not an exciting topic for FC but I have to do a thorough > job > documenting vulnerabilities, best practices, common pitfalls. > > I'm hoping someone here has had to wrestle with security for financial app or > hotel > booking... I understand that the player itself is the main concern but I > don't know how > it can be hacked... I don't even want to google 'hacking flash' for fear an > adobe goon will > hunt me down (and take my iPod touch). > > Any of you familiar with OWASP? I have to write a report based on these top > ten > vulnerabilities (link). > > I can see the value but it hurts my web designer brain :^) > http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Well, honestly, most of these issues don't really have anything to do with Flash, Flex or AIR. They're issues that you face with any server-side web application. The server-side web application that your RIA client invokes has to be secure from those common vulnerabilities listed in OWASP's Top Ten list. As for the other issues that aren't really server-side, like XSS and CSRF, your RIA will be more likely to be safe than a standard AJAX HTML application interface - especially if it's an AIR application running completely outside of a browser instance that may be used for other things as well as your application. I wouldn't worry about running those Google searches, anyway. Adobe's had to let go of their goon squad due to budgetary cutbacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. _______________________________________________ Flashcoders mailing list [email protected] http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
