Archive for March, 2009

Join Adobe at the 2009 RSA Conference!

The 2009 edition of the RSA Conference is right around the corner, but it’s still not too late to join us. This year’s conference will be held at the Moscone Center in downtown San Francisco from April 20 through April 24th, 2009. Register here and learn about all the great sessions, speaking engagements, and events planned for the week.

We are excited to announce that this year we will be participating as a co-host in the Arcot Systems booth. Arcot is a leader in protecting and verifying digital identities. Financial institutions, pharmaceutical companies, and eShopping sites rely on the company’s software-only solutions to prevent online fraud and identity theft.

On the show floor, we will be offering demos for Adobe’s Electronic Signature offerings as well as LiveCycle Rights Management ES, so please stop by the Adobe pod within the Arcot booth! Also, please don’t forget to check out John Landwehr, Director of Security Solutions and Strategy, at Adobe, for a lively panel discussion on Cloud Computing.

We look forward to meeting you!

Arcot is part of Adobe’s Security Partner Community, a growing ecosystem of ISV and solutions partners that allow Adobe to offer best of breed security offerings for our customers.

Click here to visit the Arcot website.

Adobe Secured Customer Showcase: Castilla-La Mancha Community Council

Castilla-La Mancha, a Spanish community government is using Adobe LiveCycle to streamline and secure their complex document management and review process for the executive office and community council. Specifically, the organization uses Adobe Acrobat Pro and Adobe Reader software for the development and review of the documentation, and Adobe LiveCycle Rights Management ES software to apply the maximum level of security to control access to the documents.

The secure documents can be accessed online using a web browser via JCCM’s intranet or offline. Updated authorization is required for both methods of access, providing the system with complete traceability of its use, which in the case of printing consists of a watermark. Downloads are completely controlled, identifying each user, and preventing the document from being opened on a computer where it was not originally downloaded. An expiration date is also applied for each document’s use.

Click here for the full story.

Investing in the community

Peleus here. Within Adobe, we do all that we can to secure our products, however, we can’t do everything on our own. Cooperation with the security community is essential to ensuring secure deployment of our products by our customers. Over the last year, Adobe has taken several measures to better interact with the security ecosystem including assisting groups such as OWASP, sponsoring conferences such as ShmooCon and CanSecWest, and building relationships with vendors and consultants. Our recent work with vendors to supply solutions for deploying SWF content securely is one example of these projects.
Coming out of the consulting world, I understood the challenges in analyzing a web site based on the Flash Platform. Although there were some basic tools and a handful of people with the appropriate knowledge, it was clear that more could be done. To solve this multi-faceted issue Adobe would need the assistance of the security community. From our end, we have been increasing our security documentation for developers, such as our Creating more secure SWF applications article, however, documentation can only go so far. We also needed to build alliances with vendors in the industry to help deliver the tools necessary to analyze production code.
This week, HP has stepped up to assist Flash developers by providing a free static analysis tool called SWFScan. SWFScan is able to perform static analysis on SWF content to identify common coding errors that can lead to vulnerabilities once the SWF is deployed. This allows developers to identify vulnerabilities earlier in the development cycle. Consultants who do not have access to source code can also leverage SWFScan to perform offline analysis of content by using it to decompile SWFs. SWFScan will work with ActionScript 2.0 and ActionScript 3.0 code and is free for everyone to use.
Last month, IBM launched AppScan 7.8 which can dynamically evaluate SWF content and perform penetration testing on a web site. Their tool is targeted at enterprise customers and allows users to enumerate flaws during the quality assurance phase of development. While static analysis can find many flaws, it is also important to analyze a SWF within the full context of its deployment. AppScan can monitor the SWF as it executes to identify flaws within the SWF’s run-time interactions with existing content as well as server communications through protocols such as AMF.
Both tools fit together nicely by allowing for security analysis at both the implementation and quality assurance phases of development. With these tools from HP and IBM, in addition to the work that Adobe does to help secure Flash Player and improve security documentation, our customers now have a more complete solution for deploying SWF content securely.
Within ASSET, we always try to examine the security of our products from as holistic a view as possible. Therefore, Adobe will continue to work with these and other vendors in the security community to bring together solutions that will help customers safely deploy our products and allow end-users to safely interact with them.

NIST FDCC Compliance with Adobe Acrobat and Reader

Adobe Acrobat and Adobe Reader have been tested and meet the NIST FDCC compliance guidelines according to the testing process provided in OMB memo m08‐22. Compliance was verified by testing the product using the following procedures:

Continue reading…

Acrobat and Reader 9.1 Now Available with Information Assurance Updates

Version 9.1 of Adobe Acrobat and Adobe Reader are now available with critical security updates and other product improvements. Adobe strongly recommends all users update using the built-in software update system or manual download from Here are some additional details on this release:

Continue reading…

RSA 2009 Conference Session on Cloud Computing Security

If you are attending the 2009 RSA Conference in San Francisco this April, be sure to check out this panel discussion on cloud computing security

Continue reading…