Archive for January, 2009

Register Now for a joint Adobe Security eSeminar with special guest Forrester Research

Event Details:

Please join Adobe and Forrester Research on February 10th at 2pm EST as we attempt to help you address the always difficult question “Is your company’s data safe?”.

To succeed in today’s global economy, companies face intense pressure to produce and deliver better products and services to the market faster and more efficiently. Accordingly, sensitive information needs to be exchanged efficiently and securely to partners and suppliers across industries and geographies with diverse regulatory requirements.

Join Adobe’s John Carione, and special guest Jonathan Penn, Analyst at Forrester Research, to learn how to be proactive and systematic in reducing the risk of Data Loss in your environment. Jonathan will discuss best practices in data security, trends in the industry, and examine the inherent strengths of today’s data protection solutions and how they relate to a customer’s underlying business drivers. John will then address how Adobe customers are using Rights Management technology to protect sensitive information assets as they flow inside the Enterprise and beyond. He will also discuss the need for persistent document enforcement as a vital extension to any Enterprise classification project.
Attendees will learn how to:

• Proactively protect and control sensitive information
• Deliver best practices around data protection
• Understand the importance of Rights Management in any Enterprise Security strategy

Speakers:
John Carione
Senior Product Marketing Manager, LiveCycle

Jonathan Penn
Analyst, Forrester Research

Event Schedule:
Tuesday, February 10, 2009 at 2PM EST (11AM PST)

Register Now here

Adobe PSIRT Process

Following on Peleus’ ‘We Care’ post, we thought this would be a good place to give a more thorough description of Adobe’s Product Security Incident Response Team (or PSIRT) process. Much of the work ASSET does is on the proactive side, preventing software vulnerabilities before a product ships. Adobe’s PSIRT is the part of the ASSET organization that responds to security issues that are discovered by external security researchers, partners, customers and others after a product ships. Here’s a step-by-step description of our process; note that some of these steps overlap and happen in parallel:
Step 1

  • Adobe PSIRT receives information about security vulnerabilities through numerous channels, including (but not limited to):
    • Email from security researchers, partners, or customers, via our feedback web form or directly to PSIRT@adobe.com
    • Public posting (Bugtraq, VulnDev, etc.)
    • Adobe Support
    • Internal notification (usually from Adobe’s Engineering teams, Quality Engineering teams, or ASSET)
  • Adobe PSIRT responds to the person who reported the issue (let’s call them the ‘researcher’), acknowledging the report and asking for a proof-of-concept file to demonstrate the vulnerability, if applicable.
  • Adobe PSIRT logs the issue in the Incident Response Database for tracking purposes. An Incident ID is automatically generated at this point, and passed along to the researcher.

Step 2

  • Adobe PSIRT sends the report to the relevant product team’s PSRT (Product Security Response Team) for verification. The product team’s PSRT includes a collection of Development, Quality and Program Managers, along with Developers, Quality Engineers and Product Managers.
  • ASSET helps reproduce the bug and assists the product team with severity analysis. If reproducible, the product team (or ASSET, if appropriate) logs an internal Adobe bug for the issue.

Step 3

  • The product team investigates the issue and develops a fix, or workaround. ASSET helps to verify the fix.
  • Any fix will be ported to all supported versions, as well as any version(s) currently under development.

Step 4

  • Adobe PSIRT responds back to the researcher, informing them that the issue has been reproduced and a fix is being investigated
  • As soon as possible, Adobe PSIRT communicates a proposed timeline for a patch to the researcher.
  • Adobe encourages the responsible disclosure of vulnerabilities in our products, so the researcher is asked to keep the vulnerability confidential until a fix is available. Our goal is to keep our customers as secure as possible, so we want to keep the vulnerability information from malicious hackers.

PSIRTFlow.jpg
Step 5

  • The product team produces patches for all supported product versions, as quickly as possible.  Adobe PSIRT passes along any relevant status updates to the researcher and answers any questions they may have.
  • Adobe PSIRT produces a Security Bulletin draft for the issue. The Security Bulletin text is reviewed by internal Adobe stakeholders.

Step 6

  • Adobe PSIRT passes the patch to the researcher for verification, if possible.
  • Adobe PSIRT sends the Security Bulletin text to the External Security Researcher for review; the Security Bulletin includes an acknowledgment to the researcher thanking them for their help with the issue.
  • Adobe PSIRT works with MITRE Corporation to generate CVE identifiers for any relevant issues.

Step 7

  • The Security Bulletin is posted to http://www.adobe.com/support/security/ along with the product patch(es).
  • Adobe PSIRT posts a link to the Security Bulletin on the PSIRT blog (http://blogs.adobe.com/psirt/) to inform customers who have subscribed to the RSS feed. Customers are encouraged to sign up for the RSS feed by clicking on the link towards the bottom on the right side of the landing page for the most timely notification for security issues.
  • Adobe PSIRT coordinates a notification e-mail, sent to customers who have signed up for bulletin notification e-mails.
  • Customers update their product installations, and the researcher posts their own advisory, if applicable, once the patch is available for customers.

And that is how our PSIRT process works! It can be a complicated process, and we really appreciate the help of all of the security researchers who have cooperated with us, and been patient with us over the years as we fine-tune it. If you have any questions about the process (or, of course, any security vulnerabilities to report to us), please don’t hesitate to contact PSIRT@adobe.com.

Configuring Certificate Authentication

Following on to our overview of authentication types in LiveCycle Rights Management, we recently published a guide within the LiveCycle Developer Center that shows how you can configure LiveCycle to support certificate authentication.You can read it here: http://www.adobe.com/devnet/livecycle/pdfs/lcrmes_config_authentication.pdf

Adobe Secured Customer Showcase: Dr. Robert Wood Dentistry

Read this recent story here in the Joplin Globe about how the Dr. Robert Wood Dentistry practice has transformed itself into a paperless office using Adobe Acrobat Electronic Signatures.

From the article, “Robin Wood can bring up a prescription, sign it electronically, send it directly to a pharmacy’s fax machine, then electronically attach it to the patient’s file. She receives an electronic confirmation via e-mail that the pharmacy received it. ”

Adobe Secured Customer Showcase: Argentina National Social Security Administration (ANSES)

Read about how the Argentina National Social Security Administration is using Adobe LiveCycle Rights Management ES along with forms based Digital Signatures to secure digital forms in its Systems and Telecommunications Management department. The Adobe security solution ensures confidentiality and integrity for sensitive operational data within the agency and external client information.

Managers use the solution to sign formal regulations in a forms workflow that is routed back to a supervisor for final signature and timestamping. Depending on the type of services being initiatiated within the form itself, Adobe LiveCycle Rights Management then applies the appropriate controls based on a particular security policy.

Read more about this customer here.