News Stay informed about the latest enterprise technology news and product updates.

Adobe focuses on secure software development lifecycle

With its popular software increasingly targeted by hackers, Adobe has stepped up efforts to secure its applications.

When Brad Arkin joined Adobe Systems Inc. a little less than two years ago, the maker of the popular Adobe Reader and Flash Player hadn't had a zero-day incident. Now, unfortunately, such threats are becoming more routine for the company, said Arkin, senior director of product security and privacy at Adobe, which is tackling the problem with an aggressive secure software development lifecycle.

They started by attacking Microsoft, now they're attacking Adobe too ... We're definitely in the spotlight.
Brad Arkin,
senior director of product security and privacyAdobe Systems Inc.

Earlier this month, Adobe repaired a zero-day vulnerability in Flash, only a few months after issuing an emergency update to fix a critical flaw in its Reader and Acrobat applications.

"There are definitely a lot of bad guys out there who make a living attacking software. … They started by attacking Microsoft, now they're attacking Adobe too," he said. "We're definitely in the spotlight."

Arkin spoke about Adobe's security challenges and the company's Secure Product Lifecycle (SPLC) in a presentation last week at an (ISC)2 conference on securing software in Fremont, Calif. The conference, entitled SecureSDLC: Building Security into the Software Lifecycle, drew about 75 infosecurity professionals, application developers and auditors.

Adobe Systems security:
Adobe releases Flash Player security update: As expected, Adobe Systems Inc. issued a security bulletin repairing 32 vulnerabilities in Flash Player, including a flaw being actively targeted in the wild.

Hackers used IE zero-day in Google, Adobe attacks, McAfee says: The recent targeted attacks against Google, Adobe and possibly dozens of other firms used an unpatched vulnerability in Internet Explorer, according to researchers at McAfee.  

Trusteer CEO criticizes Adobe, touts better patch deployments: Despite critical Flash and Adobe Reader updates July 30, only a fraction of Adobe users have installed them, Trusteer says. Trusteer's CEO urges better patching mechanisms. 

Adobe products such as Reader are widely used, feature-rich and compatible with a broad range of platforms, making them a big target for criminals, Arkin said.

Adobe's SPLC, which includes an 80-point security plan for every product, security training and certification for engineers, and a culture of security largely based on the company's training program, have yielded more secure products, he said. The company's four-tier training program, which launched in early 2009, begins with computer-based training, but to achieve the third level (a "brown belt") an engineer must create a project and finish it in six months, while the fourth level (a "black belt") requires coordination of brown-belt projects.

Adobe uses a lot of static and dynamic analysis tools in its secure software development lifecycle, and fuzz testing has proven very useful, Arkin said. The goal is to catch vulnerabilities up front by building secure code, but it's also important to review old code because threats are always changing, he said.

When the software maker ships a product, it has a response plan in the event of a security incident, said Arkin, who manages two teams, Adobe Secure Software Engineering Team (ASSET) and the Product Security Incident Response Team (PSIRT).

Matt Moynahan, CEO of Veracode Inc., a Burlington, Mass.-based provider of cloud-based application security services, said the challenge for Adobe, as well as Microsoft and Symantec -- other suppliers of widely deployed software -- is products that were built years ago, before today's onslaught of threats. They're also dealing with multiple platforms and an environment in which most customers don't update regularly, he said.

"All of the top software vendors are really grappling with a critical problem, which is that modern warfare has been brought to a coding environment that wasn't built for it," he said.

Dig Deeper on Secure software development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.