Archive for June, 2013

Adobe Sponsors and Participates in FIRST Conference

Last week I attended the Forum of Incident Response and Security Teams (FIRST) conference in Bangkok,Thailand. Adobe has been a member of FIRST for a few years, and has sponsored  the annual conference, which is always excellent.

This year we had a special opening keynote presentation by the Prime Minister of Thailand. It was lovely to see such a high-ranking official rate security as important enough to make time to participate in the conference. One presentation that really stood out for me was Verisign’s talk about some of the investigations they have conducted and the tactics they use for information gathering. In addition to presentations from experts from around the world, I spoke about a recent incident and how Adobe was able to leverage the event to drive lasting positive improvements.

I was so impressed with the conference and the organization, I am now proudly serving as the corporate secretary of FIRST.

Lindsey Wegrzyn Rush
Sr. Product Manager, Abuse and Security

Reader 9.x Reaches End-of-Life

In line with the Adobe Support Lifecycle Policy, Adobe’s Acrobat 9.x and Reader 9.x suite of products reached their end-of-life (EOL) today, June 26, 2013. This means that Adobe will no longer provide security or other updates to this product suite.

Over the years, we’ve made several security enhancements in the successors of Reader 9, Reader X and Reader XI, including the Protected Mode (aka “sandboxing”) and Protected View. There has never been a better time to upgrade to Reader XI. Please upgrade, ensure automatic updates are turned on, and stay secure!

Karthik Raman

Security Researcher, ASSET

Training Secure Software Engineers, Part 3: Tips on creating your own training

This is the third and final post in our series on the Adobe Software Security Engineering Team’s (ASSET) Software Security Certification Program, which formed the basis for the newly released SAFEcode Software Security Training. In the Overview post, I talked about the overall program, in the second post, I talked about the logistics of creating your own training program and using metrics to track your progress. In this post, I’ll provide some tips for creating your own software security certification program or supplementing the SAFEcode Software Security Training with your own training.

Tips
While we were in the process of creating the ASSET certification program, there was a lot of trial-and-error learning that took place. Here are some of our lessons learned so if you’re building your own training, you can skip the growing pains we experienced:

  • Know your audience and tailor content to their needs. People will become frustrated if they cannot connect what they are learning to what they need for their job. It’s like the age old question, “Why do I have to learn algebra if I’m never going to use it?” I’m not going to explain that one, but I do not want to address my deadline crunched Java developer with the specific reasons of how a course called “How to Write More Secure C/C++” is going to alleviate a worse situation down the road.
    • We began with a more liberal arts approach to security and have since shifted to a more proscriptive approach over time.
    • Also, we now have different tracks for different roles at Adobe. There’s a manager’s track, a Dev track and a QA track.
  • Get executive buy-in. You can market a training program within a company until you die and get no traction unless somebody with power and influence throws their weight behind it. People want to know that the investment they make with their time will be recognized and valued by someone. What does it matter if I have a fancy badge if nobody cares what it means? Get executives to talk about, email about and even mandate trainings.
  • Use crises to push your agenda. In order to get executives to pony up, you need to demonstrate the value of your offering. The most effective way to do this is to leverage a crisis. Use vulnerabilities that are painful or embarrassing to remind execs that proactive security work pays off; use the training to show them you have a solution. A developer who knows secure coding will be more efficient at hardening code.
  • Use metrics to encourage participation, stimulate competition and show progress. We use our training metrics tracking tool (TESSA) to allow everyone to see who is and isn’t trained. Training metrics consistently show that teams with higher training density perform better on quantified metrics like incident response time. Making metrics public, within the company, sparks competition among teams and individuals. Employees have tied achievement of certification belts to goals for their annual reviews.
  • Refresh content on a regular basis. As we all know, the threat landscape continues to change. The Web hacking techniques from 2013 are different than the ones the Web hacking techniques for 2012. Developers continue to use new languages, open source components and new tools in their jobs. For this reason, it’s important to revisit your security training content on at least an annual basis and update anything that’s out of date.

Real Results
We believe the evidence proves our security training program is working. The first two levels of the certification program are now required of every developer and tester on every product team, as part of the Secure Product Lifecycle (SPLC) at Adobe. In 2008, security wasn’t a regular topic on executive roadmaps, today the highest levels of management at Adobe review the “Security Health” dashboard for each major product and service on a regular basis.

The Intangibles
Although there is an initial investment associated with creating your own training, it’s a great way to brand your security team(s) throughout the company and get the word out.

The training program has allowed the ASSET team to transition from “giving a man a fish” by repeatedly teaching primary security concepts, to raising security awareness among the development teams and “teaching a man to fish” by scaling and creating embedded security leaders (brown and black belts) to lead the security charge within development teams.

The impact of the ASSET certification program can’t be overstated. Creating a training and certification program at Adobe catalyzed a cultural shift and ultimately built a foundation for the company to innovate and improve the security of all its products.

We began with approximately 25 original course offerings, and have since doubled that number. We continue to revise and add courses to our curriculum and build on the security culture at Adobe. If you’re interested in talking about security training and our certification program, let’s catch up at the next conference.

Josh Kebbel-Wyen
Sr. Program Manager