Author Archive: Brad Arkin, Chief Security Officer

DefendCon – All Systems Go

We are excited to host DefendCon from Adobe –  the first security conference that combines the gender inclusive nature of a traditional women-in-tech conference with cutting-edge, quality technical content presented by a diverse array of speakers.

With DefendCon, we are creating a welcoming environment where attendees will not only learn about security best practices, but also gain insight on hot topics in the industry like artificial intelligence, IoT security, incident response and machine learning.

We’re all familiar with the stats around the growth of jobs in information security and the fact that women make up less than 11% of the cybersecurity workforce∗.  Historically, women also leave the IT workforce at almost twice the rate of men. In an industry with an increasing demand for qualified candidates, we need to attract, train and retain high performing individuals.  We know that diverse teams lead to higher performance and better results and we‘re continuing to build on our initiatives in diversity, security best practices, and security education to help creatively solve these issues.

The first ever DefendCon will take place this week on September 21-22 at the Adobe Seattle office.  We hope to provide women and men in the security industry with a quality experience to connect, collaborate and learn. We currently have speakers and participants from across the tech sector including LinkedIn, Netflix, Apple, Microsoft, Salesforce and Google.   From Adobe, our own Senior Security Researcher  Cindy Spiess, Security Researcher  Todd Baumeister, as well as Principal Scientist  Peleus Uhley  will be presenting.

With DefendCon, we’re helping the industry move faster than the status quo and addressing a serious need for more women in cybersecurity.  We look forward to building upon this inaugural effort in the months and years to come.

Check out our full list of speakers and sessions.  You can also follow the latest around the event  on Twitter @DefendCon.

 

Brad Arkin
Vice President and Chief Security Officer

* https://iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf

Saying Goodbye to a Leader

We learned last Thursday of the passing of Howard Schmidt. I knew this day was coming due to his long illness, but the sense of loss upon hearing the news isn’t any less. While others have written more detailed accounts of his accomplishments, I would like to add some personal recollections.

I first met Howard at the RSA Conference during my first role at Adobe as director for Product Security. After that first hallway chat I had many more opportunities to spend time with Howard and learn from watching him work, particularly during our time together on the SAFECode board.

I always marveled at his energy, confidence, and consistency in front of a crowd — not only his ability to knock out one good speech, but the fact that I never saw him turn in a bad one. Despite his enthusiasm, Howard had a clear eye on the challenges, but never gave in to security nihilism.

Howard loved to tell stories, and he had an inexhaustible supply of them – from his time working as an undercover cop in Arizona when he once posed as a biker — to his time working at the White House (driving his Harley to work there, naturally), and beyond. But he also loved to hear stories from others. As a result, he had a massive network of friends he could tap into in order to get things done. As such, he was a real facilitator and leader, and always eager to help.

I will remember Howard as an incredibly accomplished man who could get along with just about anyone, and I will miss having him in my life. The outpouring of warm memories the last couple of days shows that, not surprisingly, I am far from alone.

Brad Arkin
Chief Security Officer

The Adobe Security Team at RSA Conference 2017

It feels like we just got through the last “world’s largest security conference,” but here we are again. While the weather is not looking to be the best this year (although this is our rainy season, so we Bay Area folks do consider this “normal”), the Adobe security team would again like to welcome all of you descending on our home turf here in San Francisco next week, February 13 – 17, 2017.

This year, I will be emceeing the Executive Security Action Forum (ESAF) taking place on Monday, February 13th, to kick off the conference. I hope to see many of you there.

On Thursday, February 16th, from 9:15 – 10:00 a.m in Moscone South Room 301, our own Mike Mellor and Bryce Kunz will also be speaking in the “Cloud Security and Virtualization” track on the topic of “Orchestration Ownage: Exploiting Container-Centric Data Center Platforms.” This session will be a live coaching session illustrating how to hack the popular DC/OS container operating environment. We hope the information you learn from this live demo will give you the ammunition you need to take home and better protect your own container environments. This year you are able to pre-register for conference sessions. We expect this one to be popular given the live hacking demo, so, please try and grab a seat if you have not already.

As always, members of our security teams and myself will be attending the conference to network, learn about the latest trends in the security industry, and share our knowledge. Looking forward to seeing you.

Brad Arkin
Chief Security Officer

SOC 2-Type 2 (Security & Availability) and ISO 27001:2013 Compliance Across All Adobe Enterprise Clouds

We are pleased to report that Adobe has achieved SOC 2 – Type 2 (Security & Availability) and ISO 27001:2013 certifications for enterprise products within Adobe’s cloud offerings:

  • Adobe Marketing Cloud*
  • Adobe Document Cloud (incl. Adobe Sign)
  • Adobe Creative Cloud for enterprise
  • Adobe Managed Services*
    • Adobe Experience Manager Managed Services
    • Adobe Connect Managed Services
  • Adobe Captivate Prime
*(Excludes recent acquisitions including Livefyre and TubeMogul)

The criteria for these certifications have been an important part of the Common Controls Framework (CCF) by Adobe, a consolidated set of controls to allow Adobe teams supporting Adobe’s enterprise cloud offerings across the organization to meet the requirements of various industry information security and privacy standards.

As part of our ongoing commitment to help protect our customers and their data, and to help ensure that our standards effectively meet our customers’ expectations, we are constantly refining this framework based on industry requirement changes, customer asks, and internal feedback.

Following a number of requests from the security and compliance community, we are planning to publicly release an open source version of the CCF framework and guidance sometime in FY17 so that other companies may benefit from our experience.

Brad Arkin
Chief Security Officer

Join Me at Privacy.Security.Risk 2016 in San Jose this Thursday

I will be speaking this Thursday, September 15th, from 12:15 – 1:15 p.m. at the Privacy.Security.Risk 2016 conference in San Jose, CA, sponsored by the International Association of Privacy Professionals (IAPP) and the Cloud Security Alliance (CSA). The topic will be “Achieving Container Security at Scale.” Containers are an exciting technology that show great promise in improving efficiency, scalability, and repeatability in cloud service development environments. However, as with any new technology, it also presents a unique set of security risks that must be addressed. As a company on the “bleeding edge” in use of this technology at scale, we believe we are in a unique position to help the security and compliance communities adopt the best security standards possible around this technology without sacrificing its benefits. My session will discuss our vision for use of container technology, the current security issues we have observed that require industry remedies to help us and our peers achieve necessary scale, and our own ideas for helping to address these issues both in the immediate and longer term. If you are attending the conference this week, I hope you’ll be able to join me.

Brad Arkin
Chief Security Officer (CSO)

Adobe @ BlackHat USA 2016

We are headed to BlackHat USA 2016 in Las Vegas this week with members of our Adobe security teams. We are looking forward to connecting with the security community throughout the week. We also hope to meet up with some of you at the parties, at the craps tables, or just mingling outside the session rooms during the week.

This year Peleus Uhley, our Lead Security Strategist, will be speaking on Wednesday, August 3rd, at 4:20 p.m. He will be talking about “Design Approaches for Security Automation.” DarkReading says his talk is one of the “10 Hottest Talks” at the conference this year, so you do not want to miss it.

This year we are again proud to sponsor the r00tz Kids Conference @ DefCon. If you are going to DefCon and bringing your kids, we hope you take the time out to take them to this great event for future security pros. There will be educational sessions and hands-on workshops throughout the event to challenge their creativity and skills.

Make sure to follow our team on Twitter @AdobeSecurity. Feel free to follow me as well @BradArkin. We’ll be tweeting info as to our observations and happenings during the week. Look for the hashtag #AdobeBH2016.

We are looking forward to a great week in Vegas.

Brad Arkin
VP and Chief Security Officer

RSA Conference 2016 Is Just Around the Corner 

It is that time of year again. The world’s largest security conference is descending on San Francisco next week, February 28th – March 4th. This year, myself and members of my team will be participating in the Executive Security Action Forum (ESAF) and speaking during track sessions of the main conference.

First up will be Mike Mellor, our Director of Security for Marketing Cloud, speaking on, “Security Monitoring in the Real World with Petabytes of Data.” This session will discuss how we use intelligent security monitoring to help safeguard our customers’ data. His session starts at 2:20 p.m. on Tuesday, March 1st, in the “Sponsor Special Topics” track in room North 131.

Later in the week will be Peleus Uhley, our Lead Security Strategist, speaking on, “Techniques for Security Scalability.” His session will discuss proper strategies and solutions for implementing security “at scale” in large organizations with diverse technology stacks. His session starts at 9:00 a.m. on Friday, March 4th, in the “Security Strategy” track in room West 3004.

As always, members of our security teams and myself will be attending the conference to network, learn about the latest trends in the security industry, and share our knowledge. Looking forward to seeing you.

Brad Arkin
Chief Security Officer

An Industry Leader’s Contributions

In the security industry, we’re focused on the impact of offensive advancements and how to best adapt defensive strategies without much reflection on how our industry has evolved.  I wanted to take a moment to reflect on the history of our industry in the context of one individual’s contribution.

After many years in the software engineering and security business, Steve Lipner, Partner Director of Program Management, will retire from Microsoft this month.  Steve’s contributions to the security industry are many and far reaching.  Many of the concepts he helped develop form the basis for today’s approach to building more secure systems.

In the early 2000’s Steve suffered through CodeRed and Nimda, two worms that affected Microsoft Internet Information Server 4.0 and 5.0.  In January 2002 when Bill Gates issued his “Trustworthy Computing memo” shifting the company’s focus from adding features to pursuing secure software, Steve and his team went to work training thousands of developers and started a radical series of “security pushes” that enabled Microsoft to change the corporate culture to emphasize product security.

Steve likes to joke that he started running the Microsoft Security Response Center (MSRC) when he was 32; the punchline being that the retirement-aged person he is today is strictly due to the ravages of the job. Microsoft security was once called one of the hardest jobs out there and Steve’s work is truly an inspiration.

The Security Development Lifecycle (SDL) is the process that emerged during these security improvements.  Steve’s team has been responsible for the application of the SDL process across Microsoft, while also making it possible for hundreds of security organizations to adopt, or like Adobe, use it as a model for their respective secure product engineering frameworks

Along with Michael Howard, Lipner co-authored of the book The Security Development Lifecycle and he is named as inventor on 12 U.S. patents and two pending applications in the field of computer and network security.  He served two terms on the United States Information Security and Privacy Advisory Board and its predecessor.  I’ve had the pleasure of working with Steve on the board for SAFECode – The Software Assurance Forum for Excellence in Code – a non-profit dedicated to the advancement of effective software assurance methods.

I’d like to thank Steve for all of the important contributions he has made to the security industry.

Brad Arkin
Vice President & CSO

 

Illegal Access to Adobe Source Code

Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party.  Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.

Adobe thanks Brian Krebs, of KrebsOnSecurity.com, and Alex Holden, chief information security officer, Hold Security LLC. holdsecurity.com  for their help in our response to this incident.

We are not aware of any zero-day exploits targeting any Adobe products. However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.

For more information on Acrobat security, please visit the Acrobat Developer Center.

For more information on ColdFusion 10 security, please visit the ColdFusion Developer Center.

 

Brad Arkin

Chief Security Officer

Training Secure Software Engineers

SAFECode today announced the release of a software security training program. This is an exciting new resource, not just for anyone interested in learning more about writing secure code in the real world, but for software security leaders responsible for integrating security into how the development organization builds code. SAFECode’s ambition is that this training resource will provide building blocks for folks to develop a successful customized training program for their environment. I encourage you to check out the training and I also want to provide some context about how this SAFECode release came to be.

When I first joined Adobe, nearly five years ago, my top priority was raising the security IQ across the various roles responsible for getting code out the door: from people who write and test code to the many flavors of managers (product, program, people) and everyone in between. After looking at a lot of options, we built the ASSET Software Security Certification Program and have seen thousands of Adobe employees certified every year, since the launch in early 2009.

I have received many inquiries about sharing our course materials. Rather than publishing one-off drops of the Adobe training content, we instead worked with the other SAFECode members to use our courses as the seed for the software security training site launched today. With the pooled resources of all the SAFECode contributors and a place to focus the broader community of software security champions on training, we aim to have the biggest impact.

Please stay tuned as Josh Kebbel-Wyen, Senior Security Program Manager for ASSET (Adobe Secure Software Engineering Team) publishes a series of blog posts describing the ASSET certification program at Adobe. He will offer insights into how the program helped us establish a security culture at Adobe and share tips and tricks based on lessons learned along the way.

 

Brad Arkin
Chief Security Officer