Adobe Secure Software Engineering Team (ASSET) Blog

Hi there!

Steve here again, to let everyone know what the Adobe’s security team is up to. This week the team heads to the desert to take part in one of the best annual security events, the Black Hat USA 2011 security conference in Las Vegas.

A key part of the Adobe security strategy is centered on collaboration and engagement. This is one reason why Black hat is important to us. This year, we are happy to be engaged in the following ways.

• Adobe is once again a sponsor
• Adobe’s contributing with talks by Brad Arkin – Trillions of Lines of Code and Counting – Securing Applications At Scale  and Bryan Sullivan – Server-Side JavaScript Injection: Attacking NoSQL and Node.js

The rest of the team will be taking in talks on new security topics and answering questions on what Adobe is up to in the area of security.

We will also have a hospitality suite in Caesars palace (conference hotel) to make it easier for people to take a break, stop by and have a chat with us.

Adobe is looking forward to seeing you there!

Cheers

Steve “Capn Steve” Adegbite

Last week I got a chance to travel to Montreal to attend the RECON2011 conference. In my last blog post I talked about this conference being among the best for deep technical security information. I am glad to report that’s still the case. There were talks on all aspects of reverse engineering, multiple operating system internals, and other complex security topics.The conference is run as one track, packed with technical presentations on relevant security topics.  This is a great plus for our security staff that are always continuously looking to improve Adobe products security.   

 The other plus is that the number of technical experts in one room creates a great opportunity for us to engage in valuable security-related conversations. Here at Adobe, listening to the feedback and input from the security community is a critical aspect of our overall security strategy. We are always eager to hear people’s thoughts on the strengths and weaknesses of our efforts.  At RECON2011, we had the opportunity to talk with many in the security community about our activities, and I am happy to say that most seemed to feel that we are on the right track but are not done yet.  This is something we recognize.  We understand that security is more like a marathon versus a sprint. So there is always more good work that can be done, especially as the threat landscape is constantly evolving. This conference allowed us to collect some great feedback and we will we be bringing that feedback in-house to evaluate and put to use.  One example of a valuable piece of feedback was to continue to innovate on our sandbox initiative. Sandbox has been great for the Reader 10 user base and continual improvement can only make things better.

Until next time,

 Steve “Capn Steve” Adegbite

Hi there!

 Steve here, checking in to give you an update on where the Adobe product security team’s travels are taking us next.

 Brad Arkin will deliver the Thursday keynote at the 2011 OWASP AppSecEU Conference in Dublin, Ireland on June 10, 2011.

 As the Chair of FIRST.org I’ll be presiding over FIRST’s 23rd annual conference in Vienna, Austria, from June 12-17, 2011. The Adobe PSIRT group manager, David Lenoe, will also be in attendance.

The next stops after this will be other conferences in North America, such as REcon 2011 in Montreal, Canada, and (our favorite) Black Hat 2011 USA in Las Vegas. Bryan Sullivan’s Black Hat talk on “Server-Side JavaScript Injection: Attacking NoSQL and node.js” has already been accepted.

See you there! 

Steve aka  “Cap’n Steve”  Adegbite

Hi there!

Steve Adegbite here with an update on the Adobe security conference schedule.  Last month, Adobe’s security team was deeply involved with RSA Conference 2011. We had the opportunity to talk with many of you in our booth and at various sessions—customers, partners and other members of the security ecosystem.

This month, we turn our focus up north towards Vancouver, Canada, where yours truly, some of our security researchers (Kyle Randolph, Jim Hong and Peleus Uhley) as well as some folks from our product teams will be engaging with the security research community at CanSecWest 2011.

CanSecWest is one of the largest security conferences in the Pacific Northwest, and Adobe is proud to once again be a sponsor this year. Community engagement and event sponsorships are core aspects of our overall product security strategy and our commitment to doing whatever it takes to protect our customers. Members of the security community are our best allies when it comes to figuring out which initiatives to take on next as we all face a threat landscape that constantly changes.

This year at CanSecWest, we will be checking out the latest research on our technologies in hope of finding new ways to protect more customers. Our security researchers will be on hand for what looks to be a great three days of talks and community engagement. So if you are in the neighborhood, stop by and say “hi.”

Steve Adegbite – Senior Security Strategist

A lot of my friends in the industry are curious why I chose Adobe among the opportunities I was considering when I decided I was due for a change. My new team at Adobe suggested this was a great topic to kick off my first ASSET blog post. So here goes…

The first thing to understand about me is that I love engaging with people to help solve security issues from both technical and people/process angles.   I believe that the technical aspect of a security issue is only a small part of a broader people and process problem.   This is what makes the community engagement side of my security work so intriguing.

It also allows me to strategically think about the best way to help influence and solve the immediate tactical problem (the technical part) by addressing the strategic long term issues in the people and process realm. Another reason why I was drawn to security is that it’s never short on challenges to keep you on your toes. Fresh challenges definitely keep things exciting.

Enter Adobe.  Adobe’s present position with regards to security is really unique and definitely challenging (multiple platforms, broad feature profiles, incredible reach, etc).  So as I learned more about Adobe I was drawn to the following things about the company:

• A budding security culture that’s already started to get woven into the company’s DNA.
• Smart technologists with a passion for doing the right thing for customers, particularly around security.
• A company whose technologies have a long reach on multiple platforms. (Which means more toys for me to play with!)
• A central product security team full of dedicated security professionals.
• A place where I can engage every conceivable external audience on the topic of product security.
• Not least, I finally found some sunshine! (Anyone that has lived in Seattle for sometime will appreciate this last one.)

With all of this I saw the opportunity to help make an impact on the security landscape. I was sold on joining the Adobe team.  Adobe is the right fit for my interest, talents and passions.  Look to hear a lot from me via the ASSET blog, Twitter and in person on what we (Adobe) are doing around product security.

It’s going to be a great ride.

Steve