Adobe Secure Software Engineering Team (ASSET) Blog

Peleus here. As part of Adobe’s Secure Product Life Cycle (SPLC) efforts, we are always looking ahead to determine the future of the threat landscape. My particular focus is researching threats to Adobe’s Flash Platform products. This week, I will be co-presenting with Jesse Collins from Microsoft’s Silverlight team at the Microsoft BlueHat conference. We will be combining our research so that we can create a more holistic view of the RIA threat landscape. This cooperation is complimentary to what David Lenoe and Jeremy Dallman discussed on the Microsoft SDL blog detailing how Adobe and Microsoft are working together to protect our customers.
As part of the lead up to the presentation, I posted a blog describing some of my research on cross-domain threats. During the conference, I will expand upon this research detailing how improperly combining different types and classifications of cross-domain permissions can lead to increased security risk. The research has already caught the attention of Bryan Sullivan of Microsoft’s SDL team who assists in the development of Microsoft’s cross-domain SDL requirements. I plan to meet up with Bryan at the conference to share ideas on advancing the cross-domain SDL.
One of the advantages of collaborating with the Microsoft Silverlight team is that it allows us to see the overall threat landscape from two different perspectives. A more accurate view increases the ability for all vendors to better protect our customers. The talk will also cover the commonalities and subtle differences between different RIA technologies. Demonstrating the commonalities between platforms makes it easier to communicate risks to developers who may be implementing a mix of technologies. Overall, this has been an interesting process and we will post additional information after the conference.