Re: [Flashcoders] RIA Secure Coding
It's just a decompiler that only does code and warns against a few tiny things that are largely irrelevant. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] RIA Secure Coding
Thanks Dave, this is probably why my head hurts. I guess I'm pretty interested in security specific to flash player and how it can be attacked. Fully understand what you're saying though and luckily will not have to document anything for any of the server side web apps. Adobe does have brief Flash security tutorial and does outline a few of the concerns on OWASP. http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps_13.html This documentation seems like an okay start for me but am hoping the list can point me in more interesting direction. --- Well, honestly, most of these issues don't really have anything to do with Flash, Flex or AIR. They're issues that you face with any server-side web application. The server-side web application that your RIA client invokes has to be secure from those common vulnerabilities listed in OWASP's Top Ten list. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] RIA Secure Coding
Thanks Dave, this is probably why my head hurts. I guess I'm pretty interested in security specific to flash player and how it can be attacked. Right, but for the most part this doesn't have anything to do with developers. As a developer, I can build applications that use the features of the Flash Player, but presumably they're going to use those features in a responsible way. Most Flash Player-specific security issues are end-user issues: an end-user might run someone else's application which is intentionally designed to do malicious things. The same thing happens with PDFs: as a developer I might build PDF forms, for example, but I'm not going to try to compromise the client that uses them. But end-users may well download PDFs intentionally designed to do just that. So, in summary, as a developer, you need to assume that your client-side code can be completely viewed by an attacker, and you need to secure the server-side calls made by that code just like you would with an HTML interface. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
[Flashcoders] RIA Secure Coding
This one is for all the RIA developers on the list. I haven't really seen secure coding widely addressed here but was hoping someone had knowledge that could get me started. I'm leading effort to develop flash coding standards in corporate environment so there are fewer (or no) security risks and so there's a knowledge base of what to look for. I gather that this is not an exciting topic for FC but I have to do a thorough job documenting vulnerabilities, best practices, common pitfalls. I'm hoping someone here has had to wrestle with security for financial app or hotel booking... I understand that the player itself is the main concern but I don't know how it can be hacked... I don't even want to google 'hacking flash' for fear an adobe goon will hunt me down (and take my iPod touch). Any of you familiar with OWASP? I have to write a report based on these top ten vulnerabilities (link). I can see the value but it hurts my web designer brain :^) http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] RIA Secure Coding
This one is for all the RIA developers on the list. I haven't really seen secure coding widely addressed here but was hoping someone had knowledge that could get me started. I'm leading effort to develop flash coding standards in corporate environment so there are fewer (or no) security risks and so there's a knowledge base of what to look for. I gather that this is not an exciting topic for FC but I have to do a thorough job documenting vulnerabilities, best practices, common pitfalls. I'm hoping someone here has had to wrestle with security for financial app or hotel booking... I understand that the player itself is the main concern but I don't know how it can be hacked... I don't even want to google 'hacking flash' for fear an adobe goon will hunt me down (and take my iPod touch). Any of you familiar with OWASP? I have to write a report based on these top ten vulnerabilities (link). I can see the value but it hurts my web designer brain :^) http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Well, honestly, most of these issues don't really have anything to do with Flash, Flex or AIR. They're issues that you face with any server-side web application. The server-side web application that your RIA client invokes has to be secure from those common vulnerabilities listed in OWASP's Top Ten list. As for the other issues that aren't really server-side, like XSS and CSRF, your RIA will be more likely to be safe than a standard AJAX HTML application interface - especially if it's an AIR application running completely outside of a browser instance that may be used for other things as well as your application. I wouldn't worry about running those Google searches, anyway. Adobe's had to let go of their goon squad due to budgetary cutbacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] RIA Secure Coding
Rule one: do not allow people to upload flash movies. Rule two: do not allow people to upload flash movies to your main domain. Rule three: do not allow people to upload flash movies that can use javascript. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] RIA Secure Coding
A while ago Hewlett-Packard released a tool (custom decompiler) for 'exposing Flash Application vulnerabilities'. It might make an easy starting point for further investigation. http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200 9/03/20/exposing-flash-application-vulnerabilities-with-swfscan.aspx C: -Original Message- From: flashcoders-boun...@chattyfig.figleaf.com [mailto:flashcoders-boun...@chattyfig.figleaf.com] On Behalf Of Boerner, Brian J Sent: Thursday, 3 June 2010 6:55 AM To: Flash Coders List Subject: [Flashcoders] RIA Secure Coding This one is for all the RIA developers on the list. I haven't really seen secure coding widely addressed here but was hoping someone had knowledge that could get me started. I'm leading effort to develop flash coding standards in corporate environment so there are fewer (or no) security risks and so there's a knowledge base of what to look for. I gather that this is not an exciting topic for FC but I have to do a thorough job documenting vulnerabilities, best practices, common pitfalls. I'm hoping someone here has had to wrestle with security for financial app or hotel booking... I understand that the player itself is the main concern but I don't know how it can be hacked... I don't even want to google 'hacking flash' for fear an adobe goon will hunt me down (and take my iPod touch). Any of you familiar with OWASP? I have to write a report based on these top ten vulnerabilities (link). I can see the value but it hurts my web designer brain :^) http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders