Like many large software companies, Adobe makes use of both open source and commercial off-the-shelf software components to deliver solutions to its customers. From time to time, as with any publicly available software, vulnerabilities may be uncovered that require resolution – creating a cascading challenge in assuring that any solution using those components is remediated quickly. To help solve this vexing problem, Adobe developed an in-house solution we call “TESSA.”
What is TESSA?
TESSA aids in the development of more secure software by tracking known vulnerabilities in third party software components. Previous attempts at solving this problem used a combination of wikis or spreadsheets to track libraries in use and signing up to the mailing lists of all external 3rd parties to get notified about any updates. This proved not to be a very scalable approach. We also use the term “3rd party” loosely here – the components tracked by TESSA could be from entities external to Adobe or libraries developed internally for use across multiple solutions. Keeping track of these vulnerabilities – and the action plan to remediate them – is imperative: any software built is only as secure as the pieces used to build it.
Information about a solution and all of its 3rd party components is loaded into TESSA as part of the Adobe Secure Product Lifecycle (SPLC) security review process. TESSA provides component-centric workflows allowing developers to compare components and determine safer versions quickly. Information about known vulnerabilities is refreshed continuously using readily available information services. It is meant to provide as holistic a view possible of known vulnerabilities. TESSA is component, version, and language agnostic – something we found lacking in many commercially available tracking tools. It also provides a detailed dependency hierarchy covering components – including parts of other components (figure 2). The complexity of much of Adobe’s software code also means we needed a solution that was highly customizable. Also, we needed to ensure that we can quickly integrate solutions from acquisitions.
Beyond Simply Knowing
Knowing about the possible vulnerabilities in software components is only part of the battle. However, it is just as important to help ensure those vulnerabilities are addressed as part of the software development lifecycle. TESSA integrates into existing developer workflows and aids teams in addressing vulnerabilities in these major ways:
- Alerting developers to which available versions of a component will address vulnerabilities.
- Providing automation plug-ins integrated into the product build cycles. For example, TESSA can fail a build if changes introduce known vulnerabilities or if a developer tries to use an obsolete or unapproved component.
- Provides alerts to users when major industry vulnerabilities occur. When faced with these new vulnerabilities in components, TESSA can help quickly determine solutions and teams that use them and kick off the remediation process.
- Managed deprecation – when our own security and/or compliance standards require replacement of certain components, TESSA enables us to quickly determine the overall impact to engineering teams and better manage the change.
- If a team can’t immediately upgrade to the latest version of a library due to backwards breakage, then TESSA can inform them of what can be patched by upgrading to an intermediate version (Figure 3).
More is Coming
Our focus now is on adding more automation capabilities to TESSA to integrate more deeply into the software development process here at Adobe and helping to ensure that existing features can better handle what our engineers may throw at the system. We would also like to get your input on the 3rd party vulnerability management problem:
- How are you currently addressing this problem?
- What do you see as the major issues in tackling this problem?
- Would a system like TESSA potentially help you in better solving the problem?
Please give us feedback directly on Twitter via the @AdobeSecurity handle using the hashtag #AdobeTESSA. We will also be providing more information about TESSA in upcoming webcasts and at industry events. More information will be provided about those activities here on the Security@Adobe blog.
Sr. Security Researcher