When Brad Arkin joined Adobe Systems Inc. a little less than two years ago, the maker of the popular Adobe Reader and Flash Player hadn't had a zero-day incident. Now, unfortunately, such threats are becoming more routine for the company, said Arkin, senior director of product security and privacy at Adobe, which is tackling the problem with an aggressive secure software development lifecycle.
"There are definitely a lot of bad guys out there who make a living attacking software. … They started by attacking Microsoft, now they're attacking Adobe too," he said. "We're definitely in the spotlight."
Arkin spoke about Adobe's security challenges and the company's Secure Product Lifecycle (SPLC) in a presentation last week at an (ISC)2 conference on securing software in Fremont, Calif. The conference, entitled SecureSDLC: Building Security into the Software Lifecycle, drew about 75 infosecurity professionals, application developers and auditors.
Adobe products such as Reader are widely used, feature-rich and compatible with a broad range of platforms, making them a big target for criminals, Arkin said.
Adobe's SPLC, which includes an 80-point security plan for every product, security training and certification for engineers, and a culture of security largely based on the company's training program, have yielded more secure products, he said. The company's four-tier training program, which launched in early 2009, begins with computer-based training, but to achieve the third level (a "brown belt") an engineer must create a project and finish it in six months, while the fourth level (a "black belt") requires coordination of brown-belt projects.
Adobe uses a lot of static and dynamic analysis tools in its secure software development lifecycle, and fuzz testing has proven very useful, Arkin said. The goal is to catch vulnerabilities up front by building secure code, but it's also important to review old code because threats are always changing, he said.
When the software maker ships a product, it has a response plan in the event of a security incident, said Arkin, who manages two teams, Adobe Secure Software Engineering Team (ASSET) and the Product Security Incident Response Team (PSIRT).
Matt Moynahan, CEO of Veracode Inc., a Burlington, Mass.-based provider of cloud-based application security services, said the challenge for Adobe, as well as Microsoft and Symantec -- other suppliers of widely deployed software -- is products that were built years ago, before today's onslaught of threats. They're also dealing with multiple platforms and an environment in which most customers don't update regularly, he said.
"All of the top software vendors are really grappling with a critical problem, which is that modern warfare has been brought to a coding environment that wasn't built for it," he said.