Archive for November, 2011

BSIMM 2011 Community Conference

Jim Hong, Kyle Randolph and I attended the BSIMM Community Conference last week at the Skamania Lodge in Stevenson, WA (about an hour outside Portland). The BSIMM (“Building Security In Maturity Model”) community is composed of folks who work on software security as part of their day job for organizations who have performed a BSIMM measurement. Adobe was one of the original nine organizations to kickstart BSIMM in the fall of 2008 and we conducted a second measurement in 2010. I’m also a member of the BSIMM Advisory Board. You can learn more about BSIMM at

Of the more than 40 organizations that have conducted a BSIMM measurement, 25 were represented by 77 attendees at last week’s BSIMM community event. This group made for a very interesting subset of the broader security community because everyone is focused narrowly on practical defensive software security. Typically, offensive security topics tend to dominate most of the security conferences I attend. Even the conference talks that are supposedly about defensive topics tend to be more focused on how to employ offensive techniques during testing rather than on providing a holistic view of real-world defensive software security. So, it is refreshing and exciting when someone tries to rally attention towards research into truly defensive techniques. (The Microsoft BlueHat Prize announced at BlackHat this past summer or the exchanges among the members of SAFECode are other examples that come to mind.)

I presented “Adobe Product Security Through the BSIMM Lens: 2008-2011” on the first day of the BSIMM event and attended a number of interesting talks. However, the most valuable part of the event, as is always the case, was the “hallway track.” The chance to compare notes with peers from other organizations tackling the same technical problems with such widely varying resources, priorities and definitions of success was the reason I attended, and I wasn’t disappointed.

To sum it up, the BSIMM community event was a great opportunity to spend time with like-minded folks from across the industry.  I’m looking forward to next year.

Bentley Systems integrating Adobe’s Rights Management

Today Bentley Systems announced their alliance with Adobe to integrate rights management with ProjectWise and AssetWise for architecture, engineering, construction (AEC) and operations workflows.  Rights management already supports native PDF and Office formats, and this integration will provide support for additional formats in these markets.  This includes the ability to control who can open a document, specify what they can do with it, as well as track what has been done with it.  This content-centric security also supports expiration, revocation, and version control at the file level.

Adobe Welcomes Siemens to SAFECode!

I’m excited to welcome Siemens as the newest member of SAFECode and Dr. Frances Paulisch to the SAFECode board of directors.

Adobe joined SAFECode (the Software Assurance Forum for Excellence in Code) in 2009. You can read a bit about what I was hoping Adobe would gain from its SAFECode membership in a Q&A posted at the time to the SAFECode blog. Since we joined, we’ve contributed to a couple of major publications—the Fundamental Practices for Secure Software Development paper and an Overview of Software Integrity Controls—as well as numerous smaller efforts.

However, the biggest value Adobe has gained from its SAFECode membership comes from the very frequent interactions we have at all levels with our peers from the secure software engineering teams of SAFECode member firms. From comparing external communication strategies to technical release checklists and tooling, the benefit of tapping into a community of people tackling the same challenges can not be overstated.

Expanding this community to include the Siemens security folks is a big win for the SAFECode community and will help accelerate the hard work Siemens is putting into securing their software. SAFECode is always on the lookout for prospective new members, so if you think your organization might be a fit, please get in touch. You can learn more about SAFECode here.