Static analysis is an automated analysis process of the source code – in other words a program decompiles the program and looks at the instructions, searching for potential problems- vulnerabilities, best practice issues and so on.
Java, .NET and C developers have these tools for ages, but fortunately we flash coders get one too: from HP.
I must confess I was quite surprised to see this from HP. Well, I know that HP was founded with the purpose of being primarily an innovation company, but to most people on the street, HP means printers (and my laptop is from HP). Joking aside, HP has many tools dealing with Application Security.
SWFScan is pretty cool. I can load local or remote SWF files, decompile and analyse them. It looks for about 75 potential problems, ranging from credit card info hardcoded in code (who would do such a thing?) to Cross-site scripting (XSS) to warnings about the location of the Local Shard Objects.
The interface is clean and the information about each vulnerability is presented in a very clear manner, with links for additional info.
The decompiler will choke on flash files protected with SWFEncrypt, but hey, you’re supposed to be testing your applications…
Overall, I’m very impressed with this offering from HP and I hope to see more great tools for Flash, AIR and Flex.