Flash has become a de-facto standard for Web applications, yet most vulnerability management solutions don't do a very good job verifying Flash content. This is surprising, especially since 98% of workstations have the Adobe Flash player installed, according to an Adobe study. The Flash player itself can contain unpatched vulnerabilities, which most scanners already detect. However, most scanners completely ignore the actual Flash applications and its interactions with the back-end servers.
The scary part of this fact is that the Flash applications are often written by the people least familiar with the concept of secure coding: graphic designers (as opposed to Web application developers who may be familiar with the concept). As a result, many Flash applications are coded insecurely. And because Flash applications are compiled binaries, reviewing them is anything but easy.
Website navigation menus are often coded as Flash to make them look nicer, so following links that occur in Flash content is important to spider all parts of the website and increase link coverage. The NeXpose vulnerability scanner has offered this functionality for years. But that's not nearly enough, since Flash applications can contain a number of vulnerabilities themselves.
As of today, NeXpose 4.10.4 is the industry's first vulnerability management solution version that offers full decompilation of Flash content. Once the code is decompiled, NeXpose uses static code analysis to find the vulnerabilities, including SQL injection, hard-coded login credentials, and insecure cryptography.
This latest feature bolsters Rapid7's leadership in adding web application scanning to a broader vulnerability management solutions. Rapid7 actually has a long history of being the first in the vulnerability management industry to add new technology that has become standard later:
Rapid7 has consistently led the vulnerability management industry in Web application security