We Care

Recently, when speaking with a few researchers about why they did not report vulnerabilities to Adobe, we have heard a few variations of, “I didn’t think Adobe would care.” Those responses were disappointing to the Adobe Secure Software Engineering Team (ASSET) and it was clear that Adobe needed to do more to reach out to security community and be transparent in our efforts to protect customers. ASSET strives to improve the Secure Development Lifecycle within Adobe for all products, coordinate the Adobe Product Security Incident Response Team (PSIRT) and perform security community outreach activities. Those comments indicated that Adobe needed to do more with regards to communicating the activities of ASSET to the external community. This blog is one of the methods we will use to achieve that goal.
Adobe has taken significant proactive measures to improve the security of our products over the last few years and we plan to continue to build upon that foundation moving forward. Through this blog we hope to communicate what we have achieved and where our customers can expect us to be in the future. We will be providing specific details on the current status of our individual security programs within Adobe in upcoming posts. However, to set the scene, let’s take a quick look back on the last year that led to where we are today.
First, it is very clear to Adobe that we are receiving increased attention from the security community. Adobe has been responding to this increased attention over the course of the last year by proactively investing in both internal and external security measures to further protect our customers. We have added several new people to our team including Brad Arkin who recently joined Adobe in the new role of Director of Product Security and Privacy within Adobe. For additional support internally, we have increased our efforts in disseminating security information, tools and resources to the individual product teams. One example of this effort includes our recent initiative to expand the library of online security training modules as part of a broader set of education programs for developers and quality engineering. For the external community, we have also contributed towards making more security information available to the customers who deploy our products in order to assist developers and administrators in implementing best practices with our software.
The current focus on Adobe products from the security community has also lead to an increased number of reported security issues. To that end, Adobe has become more aggressive in responding to external security incidents. One recent example was the clickjacking issue reported to us by Robert Hansen and Jeremiah Grossman. Adobe responded by implementing a cross-platform, cross-browser patch within weeks of notification. And while the complexities of the many environments our products run on can sometimes prevent us from responding as quickly to other reported issues, this specific example helped to raise the bar for what we can achieve and what we want to work towards in the future. For researchers who find issues with our products, you should know that Adobe follows industry standard responsible disclosure practices and we will give credit to all researchers who follow that process when reporting vulnerabilities.
These are just a few of the steps that Adobe and ASSET has taken to improve the security of our products and services. This blog will help describe in more detail how moving forward we plan to improve in each area of the security lifecycle. By publishing information on our security development lifecycle, we hope to convey to our customers Adobe’s efforts to ensure the security of their infrastructures. In addition, it is our hope that the information we provide about the lessons we’ve learned during these processes can help to further the industry. In short, we care.