The Adobe Secure Software Engineering Team (ASSET) is trying to improve visibility in its software development...
processes to get security researchers to report flaw findings directly to the vendor.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Some vulnerabilities are reported by security researchers to Adobe after first being reported to Mozilla, Microsoft and other software vendors. It often slows the time it takes to roll out a patch, said Brad Arkin, Adobe's director of product security and privacy.
"There is an amount of inefficiency as a result, of course, and we need to do our part to try and improve upon it, in part through the ASSET blog," Arkin said in an email exchange.
To help explain what's going on behind the scenes and develop more communication with security researchers, ASSET is starting a new blog to focus on the secure development lifecycle, Arkin said.
ASSET works along side the Adobe Product Security Incident Response Team (PSIRT) by ensuring that security is built into Adobe's software development lifecycle. The two groups were born out of the Adobe-Macromedia acquisition when secure software engineering practices merged as part of the integration of the companies in 2005.
"As always, our goal is to improve communication around Adobe's security efforts and to keep our customers as secure as possible," he said.
Adobe's secure development lifecycle is similar to Microsoft's processes, Arkin said. ASSET team members work frequently with Microsoft to exchange security-related knowledge, he said.
"Our process shares many best practices with Microsoft's SDLC, but is customized to fit Adobe's approach to software engineering," he said.
In addition, Adobe is increasing the visibility of the team by presenting at, and attending more security conferences, inviting outside security experts to speak at Adobe, and publishing security-related documentation, Arkin said.
Arkin said Adobe's software team has improved security by enabling secure compiler flags in the latest versions of Flash Player and Adobe Reader. Flags help ensure developers don't store static passwords, encryption keys or other sensitive data within the source code of a SWF file. They also offer other safeguards such as ensuring that any trace commands are removed when creating the compiled SWF file.
Adobe also worked quickly to address a clickjacking issue in October. The vendor requested that two security researchers, Robert Hansen and Jeremiah Grossman, postpone their presentation on the vulnerability so the software team could produce a patch. Grossman said at the time that he was surprised that Adobe took ownership over the attack technique, because he considered it to be the responsibility of the browser vendors. The update blocked the threat as well as clipboard attacks that have been plaguing end users for months. Clickjacking allows an attacker to trick a user to unknowingly click on a link in a Web page. The update contained a detailed review of the other security changes it made to Flash Player and how they could impact existing content.
ASSET is also "working with the security community to develop a relatively mature security framework as part of Adobe AIR, launched in February 2008," Arkin said.