Author Archive: Bronwen Matthews

Adobe Digital Publishing Suite, Enterprise Edition Security Overview

This new DPS security white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your data included in applications built with Digital Publishing Suite.

The paper outlines the Adobe Digital Publishing Suite Content Flow for Secure Content, available in Digital Publishing Suite v30 or later for apps with direct entitlement and retail folios entitlement. The secure content feature allows you to restrict the distribution of your content based on user credentials or roles.

The paper also outline the security practices implemented by Adobe and our trusted partners.

Security threats and customer needs are ever-changing, so we’ll update the information in this white paper as necessary to address these changes.

Bronwen Matthews
Sr. Product Marketing Manager

Using Smart System to Scale and Target Proactive Security Guidance

One important step in the Adobe Secure Product Lifecyle is embedding security into product requirements and planning. To help with this effort, we’ve begun using a third-party tool called SD Elements.

ADO867-Security-SPLC_V1-live

SD Elements is a smart system that helps us scale our proactive security guidance by allowing us to define and recommend targeted security requirements to product teams across the company in an automated fashion. The tool enables us to provide more customized guidance to product owners than we could using a generic OWASP Top 10 or SANS Top 20 Controls for Internet Security list and it provides development teams with specific, actionable recommendations. We use this tool not only for our “light touch” product engagements, but to also provide our “heavy touch” engagements with the same level of consistent guidance as a foundation from which to work.

Another benefit of the tool is that it helps makes proactive security activities more measurable, which in turn helps demonstrate results which can be reported to upper management.

ASSET has worked with the third-party vendor Security Compass, to enhance SD Elements by providing feedback from “real world” usage of the product. The benefit to Adobe is that we get a more customized tool right off the shelf – beyond this, we’ve used the specialized features to tailor the product to fit our needs even more.

We employ many different tools and techniques with the SPLC and SD Elements is just one of those but we are starting to see success in the use of the product. It helps us make sure that product teams are adhering to a basic set of requirements and provides customized, actionable recommendations on top. For more information on how we use the tool within Adobe, please see the SD Elements Webcast.

If you’re interested in SD Elements you can check out their website.

Jim Hong
Group Technical Program Manager

New White Paper on Creative Cloud for teams Security Architecture and Functionality

At Adobe, we take the security of your digital experiences seriously.

The Adobe Creative Cloud for teams Security Overview white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and data.

The paper provides details related to the security architecture and functionality available in Creative Cloud for teams. It also outlines the security practices implemented by Adobe and our trusted partners as part of the ongoing development of Creative Cloud. From our rigorous integration of security into our internal software development process to the tools used by our cross-functional incident response teams, we strive to be proactive and nimble.

Security threats and customer needs are ever-changing, so we’ll update the information in this white paper as necessary to address these changes.

Bronwen Matthews
Sr. Product Marketing Manager

NetWars: My Experience at the Minnesota Cyber Aces State Championship

Adobe has always been very supportive of professional development for its employees. It is a great way to work on projects that might not be directly related to one’s main responsibilities. While I am currently responsible for managing engineering and quality engineering on the Adobe Photoshop architecture team, I have been using my professional development time to research cybersecurity.

I recently learned about Cyber Aces, founded by Alan Paller, co-chair of the Secretary of Homeland Security Task Force on Cyberskills and founder and research director of the SANS (SysAdmin, Audit, Networking, and Security) Institute. The goal of Cyber Aces is to “fill a critical shortage of skilled cybersecurity professionals by growing the talent pool, discovering those with high potential, and offering a fast track to cybersecurity jobs.”

In order to qualify for the Cyber Aces Minnesota State Championship, I had to take a series of online quizzes in Networking, Operating Systems, and Systems Administration. Luckily, I scored high enough to be invited to participate for the championship title on a simulation called NetWars – a real-time capture-the-flag competition on March 15, 2014. NetWars was created by the folks at SANS as a way for participants to test their skills with hands-on exercises and penetration tests.

Before the competition, there was an ethics panel hosted by Dr. Kevin Gyolai, dean of STEM (science, engineering, and mathematics) at Inver Hills Community College where the competition took place. The panelists represented a range of disciplines from industry (UNISYS), to education (Inver Hills Community College), and government (FBI). They talked about the “insider threats” facing many organizations, how the US Cyber Command has hundreds of job openings that they cannot fill and how BYOD (bring your own device) is challenging university campus networks and corporations.

After the panel, we got down to business. Level 1 had a series of questions asking us to find flags by looking at the file system, and an interesting question about PDF. On a personal level, it was awesome to see a question about a PDF. I am not allowed to talk about the question as the other states haven’t completed the competition yet, but it was an excellent question.

I have earned the ASSET (Adobe Secure Software Engineering Team) brown belt certification and programs like Cyber Aces and NetWars will help me on my way to earning a black belt. Thank you to everyone at Cyber Aces for hosting a fantastic event.  I encourage anyone interested in developing their security skills to take a look at Cyber Aces and participate.

Jeff Sass
Engineering Manager, Photoshop

Adobe Sponsors Nullcon 2014

NullCon, held annually in Goa, is one of the premier security conferences in India. This conference has emerged out of a not-for-profit society, null, which is the largest active security community in India. I will be attending the conference along with two Security Researchers from my team, Kriti and Vaibhav. We are looking forward to an interesting lineup of talks, especially the keynote session by Jeff Moss, founder of Black Hat and DEF CON.

I’m most excited about the hallway conversations, which for me has always been the most interesting part of this conference and a time to catch up with some of the brightest minds in Security. This year, Adobe will have a booth at the conference and we are recruiting for the role of Security Researcher. So in case you are interested please drop by our booth with your resume or just come by to say hello.

If you haven’t registered yet for the conference, I encourage you to go ahead. The details are on the NullCon website.

See you there.

Priyank Choudhury
Manager, Secure Software Engineering

My Summer Internship With the ASSET Team

Timber2I have spent the last three months working hard to release two coding projects for ASSET! In this blog, I am going to share my experiences working at Adobe from an intern’s perspective.

One of my projects was to develop a specialized tool written in Python for forensics experts in corporate environments. The finished tool incorporates user input on file features, in order to specify behavior and filter files by interest. For example, malicious actors might rename a RAR-compressed executable ‘X.rar’ to ‘X.jpg’ and exfiltrate it. This tool helps forensics experts locate the renamed file. In another example, when an actor encrypts compressed files to bypass AV signature scans, this tool can help detect these malicious files. The tool supports several filtering features and users can easily tweak the configuration to find whatever they are suspicious of.

The biggest part of this project is that we built our own signature library to recognize file types–this is different from most existing ones (WinHex, Scalpel, file UNIX command) which are doing rigid static-header and -footer searching. My project provides an open architecture to add more signature-searching methods. On the backend, we are implementing modules to provide searching-behavior functionality; on the frontend, signatures in the library are simply JSON objects that calls methods on corresponding tags. The objective behind the tool is that we want to explicitly know how the signatures are matched and make further extending signatures work as easily as we could.

This is a diagram of the architecture of the tool:

untangle

Currently the signature library supports several signature-searching methods, including dynamic signatures. This is really useful when handling executables (PE or ELF structured) which have file-specific computed offsets. As the needs from forensics experts increase, we will continue to develop more powerful features.

Here is a signature snippet for the DLL file type:

Dll-signature

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ASSET Senior Manager Mohit Kalra, ASSET Security Researcher Karthik Raman  and I have been cooperating with experts from other Adobe teams and justifying a few concepts behind the project. After the tool passed several phases of testing, I showcased the tool to other interns and team members at the Adobe Intern Expo, and separately to various forensic experts at Adobe. The project was difficult, and I couldn’t have completed it without the help of my co-workers. This is one of the things I appreciated the most about my internship: teamwork that proved to be productive, solid, and congenial!

Through the internship, I’ve gained hands-on experience on industry-level projects. It has given me insight into project development cycles and let me use many coding skills that I never had the chance to use previously. Apart from the technical side, there are many aspects of life you can learn in such a big corporate environment, and I’ve enjoyed the process of adapting to it.

Timber Deng
Security Intern

Adobe Sponsors and Participates in FIRST Conference

Last week I attended the Forum of Incident Response and Security Teams (FIRST) conference in Bangkok,Thailand. Adobe has been a member of FIRST for a few years, and has sponsored  the annual conference, which is always excellent.

This year we had a special opening keynote presentation by the Prime Minister of Thailand. It was lovely to see such a high-ranking official rate security as important enough to make time to participate in the conference. One presentation that really stood out for me was Verisign’s talk about some of the investigations they have conducted and the tactics they use for information gathering. In addition to presentations from experts from around the world, I spoke about a recent incident and how Adobe was able to leverage the event to drive lasting positive improvements.

I was so impressed with the conference and the organization, I am now proudly serving as the corporate secretary of FIRST.

Lindsey Wegrzyn Rush
Sr. Product Manager, Abuse and Security

BSIMM Community Conference 2012

Last week, ASSET team members Jim Hong, Josh Kebbel-Wyen and I attended the BSIMM Community Conference 2012, which took place in Galloway, NJ. This year, despite hurricane Sandy, the conference had about 90 attendees representing 30 organizations.

The Building Security In Maturity Model (BSIMM) is a data-driven descriptive model of existing security initiatives across various companies. Adobe was one of the nine original participants in measurements for the first version of BSIMM and has participated in subsequent BSIMM surveys.

This year, participants such as Intel, Symantec and JP Morgan Chase held talks during the conference, covering topics such as strategy, architecture analysis, training and penetration testing, with each talk describing how the organizations had customized the best practice in their particular environment.

In addition to the talks, there were three parallel workshops on Security Fraud, Third Party Security Controls and Agile Methods in SSDLs. These workshops provided discussion on the nuances of security and how each organization deals with the challenges associated with them.

The talks and workshop were informative but of equal or maybe even greater value, was the opportunity to network and compare notes on security initiatives and best practices with peers from across participating organizations. The benefit from this kind of interaction is immense.

Mohit Kalra
Senior Manager Secure Software Engineering