Adobe hopes to speed patch releases with more transparency

By Robert Westervelt, News Editor 17 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Adobe Secure Software Engineering Team (ASSET) is trying to improve visibility in its software development processes to get security researchers to report flaw findings directly to the vendor.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Some vulnerabilities are reported by security researchers to Adobe after first being reported to Mozilla, Microsoft and other software vendors. It often slows the time it takes to roll out a patch, said Brad Arkin, Adobe's director of product security and privacy.

"There is an amount of inefficiency as a result, of course, and we need to do our part to try and improve upon it, in part through the ASSET blog," Arkin said in an email exchange.

To help explain what's going on behind the scenes and develop more communication with security researchers, ASSET is starting a new blog to focus on the secure development lifecycle, Arkin said.

ASSET works along side the Adobe Product Security Incident Response Team (PSIRT) by ensuring that security is built into Adobe's software development lifecycle. The two groups were born out of the Adobe-Macromedia acquisition when secure software engineering practices merged as part of the integration of the companies in 2005.

"As always, our goal is to improve communication around Adobe's security efforts and to keep our customers as secure as possible," he said.

Adobe's secure development lifecycle is similar to Microsoft's processes, Arkin said. ASSET team members work frequently with Microsoft to exchange security-related knowledge, he said.

"Our process shares many best practices with Microsoft's SDLC, but is customized to fit Adobe's approach to software engineering," he said.

SearchSecurity radio:

In addition, Adobe is increasing the visibility of the team by presenting at, and attending more security conferences, inviting outside security experts to speak at Adobe, and publishing security-related documentation, Arkin said.

Arkin said Adobe's software team has improved security by enabling secure compiler flags in the latest versions of Flash Player and Adobe Reader. Flags help ensure developers don't store static passwords, encryption keys or other sensitive data within the source code of a SWF file. They also offer other safeguards such as ensuring that any trace commands are removed when creating the compiled SWF file.

Adobe also worked quickly to address a clickjacking issue in October. The vendor requested that two security researchers, Robert Hansen and Jeremiah Grossman, postpone their presentation on the vulnerability so the software team could produce a patch. Grossman said at the time that he was surprised that Adobe took ownership over the attack technique, because he considered it to be the responsibility of the browser vendors. The update blocked the threat as well as clipboard attacks that have been plaguing end users for months. Clickjacking allows an attacker to trick a user to unknowingly click on a link in a Web page. The update contained a detailed review of the other security changes it made to Flash Player and how they could impact existing content.

ASSET is also "working with the security community to develop a relatively mature security framework as part of Adobe AIR, launched in February 2008," Arkin said.

Tags: Software Development Methodology,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary