Author Archive: Chris Parkerson

The OSCP Gauntlet

As a developer who works mainly on the defensive side of the software security battle, it’s easy to lose sight of the difference in complexity between defending and attacking a system. When you have a sufficiently large surface of attack, finding your way in is much more probable than covering every security hole there is. This potential loss of perspective is the reason I think any defensive actor in the security field should constantly exercise the offensive side.

With this in mind and with the desire to improve my penetration testing skills, I started to look for a course and/or certification that suited me. The landscape is by no means lacking. Some options, however, focused a bit too much on theory and less on practice. Those options are great for someone just starting out in security, but I was looking for something more.

I found OSCP (Offensive Security Certified Professional Certification), which is offered by the same people who maintain Kali linux and the Exploit Database. Offensive Security has been a prominent and respected player in the penetration testing market for a while due to their development, maintenance, and funding of BackTrack Linux. BackTrack was later rebuilt as Kali Linux, the most utilized distribution for digital forensics and pen testing. Research into the OSCP certification revealed opinions ranging from “wow, what a course!” to “not for the faint of heart”. Everyone was also praising the hands-on approach to learning and the excellent lab environment where you could practice what they preach.

The Course

I felt OSCP best suited my criteria and provided a sufficiently hard challenge. The course material consists of an 8 hour video series and a 350 page lab guide. It follows the usual attack methodology: recon, exploitation, enumeration, privilege escalation, persistence, data exfiltration, pivoting. For each step you’re guided through the theory, which tools to use and how to use the information you gain. There are also sections dedicated to developing buffer overflow exploits. These will teach you fuzzing, how to create an overflow exploit, and also how to do a full reverse shell.

You will need to do a significant amount of individual research above and beyond provided course materials in order to widen your array of skills and tools sufficiently for success. I think this is what separates OSCP from other certifications. They plant the seed, leading you to scour the Internet searching for deeper knowledge on the subject. This is not a step-by-step course!

The Lab

The lab component is actually what makes OSCP stand out. You go headfirst into a virtual environment which simulates a real enterprise network totaling 50 machines – a Public Network, an IT Department, a Development Network, and an Administrative Department. The network is very realistic and some computers actually talk to each other. Your challenge is to hack your way through to the admin machines deep in the network. The course motto of “try harder” becomes immediately evident when you try to put theory into practice in this lab. You will need to do a lot of research and conjure a great deal of patience and tenacity – but, it’s all worth it in the end.

The Exam

The final exam is a whole other story. You don’t get the standard issue multiple choice test. Instead, you have 24 hours to hack your way through 5 completely unknown machines and gain root privileges on all of them. It sounds bad, but it can actually feel fun at times – especially as you inch your way through the many barriers. It does take a toll, however. Your ability to control stress, maintain focus, and manage time will be thoroughly tested. In preparation for the big day, I even loaded my home desk with a myriad of bars, chocolates, and anything that would keep me going – I ate almost none of them. Time moves very fast once you start the exam. I also found it was very easy, both in the lab and in the exam, to get stuck on one path and go down a proverbial rabbit hole, thinking it’s the way through. You need to know when to ditch the angle you’re currently working on and try a new one.

When the 24 hours pass, you get the feeling you are done, finished, that you can just relax…

Nothing could be further from the truth, unfortunately. After hacking your way through the machines, you need to write a professional penetration testing report on the whole process and you have another 24 hours to submit it. This is where OSCP focuses on the business side of the story and emphasizes the ability to put pen on paper and deliver a document that is useful for decision makers. Nothing is graded unless it is properly explained in the report. This means you need to carefully document your thoughts and actions during the actual penetration test. Writing that report after the grueling 24 hours is no easy task – but an essential exercise to ensure you have the skills to communicate findings in a useful way to business stakeholders.


The OSCP madness should be enough for anyone who wants to hone their penetration testing skills. It won’t make a seasoned pentester out of you, but it will set you running on the path. I’m sure that even senior pentesters can learn something new from the 50+ machines you can hack and slash in the lab. It also gives you the feel of how much easier it is to break a complex system than it is to protect it – insight any security engineer should have. I highly recommend the course and the certification exam. You can find out more about them on the Offensive Security site.

Bogdan Ionita
Computer Scientist

Learn More about HubbleStack at SCALE 16x

Christer Edwards, one of our Adobe Experience Cloud engineers and co-creator of our latest open source project, HubbleStack, will be speaking about the project this Saturday, March 10th, at the SCALE 16x conference in Pasadena, CA. Come and join Christer to learn more about HubbleStack – a window into your infrastructure that helps drive better compliance. HubbleStack’s components provide auditing, information collection, integrity monitoring, and reporting capabilities across diverse infrastructure. Adobe is currently using HubbleStack to assist with our ongoing compliance efforts.

We are inviting everyone to download HubbleStack for free and try it out in their own environment. We also encourage other developers to join the project and help develop future iterations. Christer will also be available to chat outside of his talk at our HubbleStack booth on the expo hall floor at the conference. If you’re planning to attend SCALE 16x this year, we hope you are able to attend Christer’s session and stop by our information booth.

Adobe & Splunk CTF Competition

A hallmark of an engaged team is continuous learning and improvement. And this is no different for a SOC (Security Operations Center) team. We believe that readiness is a key aspect of learning and improving and readiness is critical for a SOC teams success. Capture the Flag (CTF) events are one of the best ways that a SOC can remain sharp. We strive to do as many of these as we reasonably can each year.

On Thursday, January 18, 2018, Adobe, in conjunction with Splunk Inc. sponsored a Boss of the SOC competition.  The BOTS competition is a Blue Team-focused Capture the Flag (CTF) style competition where contestants play the part of a Security Operations Center analyst. Teams are presented with various questions about multiple security-related scenarios. Some are easy. Some are hard. The teams use a Splunk Search Server, background information, and external sources to answer the questions as quickly and accurately as they can. The contestant with the most points at the end of the competition wins.

The Adobe Security Coordination center and several industry partners joined forces, divided into several different teams, and worked together to test out security skills that included reverse engineering malware, identifying data exfiltration behaviors, and identifying malicious user activity.   Each team played the role of security analysts helping a home brewing supply company work through some major incidents they have experienced.  The competition used realistic data in Splunk, Splunk Enterprise Security and the wild, wild web, while racing against the clock to identify: the who, the how and the where of a full forensic investigation. Teams were given a series of questions with varying types and degrees of difficulty and received more points if answered quickly. And the harder the question, the more points awarded.

The stellar effort by all teams involved made this event a hugely successful competition. This was a great learning experience for everyone involved. We would like to extend warm congratulations to the winning team which consisted of members of our Adobe team and our industry partners with an amazing performance! We had 48 participants from 5 organizations attend the event and sincerely thank Splunk Inc. for their efforts in supporting the event for us.

Joseph Davidson
Sr. Manager, Security Monitoring

How Adobe Helps Protect You from Email Phishing

Email has always been a tool of choice cybercriminals.  By capitalizing on an established company’s brand reputation, they can send emails with malicious intent (links, attachments, phishing, etc.) and trick people into trusting these emails.  Adobe’s own brand reputation has been leveraged in the past for such schemes.

In order to protect our customers from potential confusion or victimization, we embarked on a project to help ensure that emails you receive from Adobe are from verified and authenticated to limit the likelihood of brand impersonation that could harm our customers.

So, how exactly do we ensure that our emails appear to our customers as from an authenticated sender? We first moved to implement email authentication technologies such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, & Conformance) policies into our email ecosystem.  To begin, we needed to identify our Adobe-owned domains.  Through this process, we identified that Adobe owned a very large number of domains. After collecting traffic against these domains, we carefully analyzed this data.  Next, we made necessary adjustments to SPF and/or DKIM records for each identified domain to improve our email authentication pass rate, help protect Adobe owned domains, and better ensure that emails received by customers on behalf of Adobe are genuine.

Through this journey, we identified and overcame a few hurdles:

  • Integrating our third party service providers into this program;
  • Managing domain owners as part of a dynamic environment;
  • Implementation of a complex process to ensure emails were sent compliant with SPF/DKIM to achieve an acceptable DMARC pass rate (usually greater than 97-99%), in order to move to quarantine and finally to a reject policy.
  • Developing new domain onboarding policies with multiple stakeholders.

We continue to invest in sending “takedown” notices whenever possible for domains that we find are being used to send malicious emails or host phishing websites that impersonate our brands. There has also been a recent upswing in targeted spear phishing attacks as cybercriminals evolve and try different tactics.  We continue to work to protect Adobe and our customers against these next generation of threats to Adobe’s email authenticity and its deliverability. If you do receive an email that you suspect is phishing, please forward it to us at for investigation. These external reports help us to continuously improve our approach.

Vivek Malik
Security Analyst

Marcail Kennedy
Manager, Messaging Services

Introducing HubbleStack

Hello! My name is Colton Myers and I am the co-creator and architect of HubbleStack, an open-source security compliance project written in Python. Christer Edwards, another member of our team, named the tool after the Hubble telescope. Just like the Hubble telescope gives us a window into the complexities of our universe, HubbleStack gives us a window into the complexities of our infrastructure!

To help facilitate faster compliance with security controls across Adobe, especially due to our many acquisitions in recent years, we found that we needed a tool to handle security auditing and compliance that scaled across many teams with varying infrastructure.

We tried a couple of third party vendors, but struggled to get the data we needed with the performance we required. Open source software is also our preference wherever possible.

Christer decided to get a proof of concept replacement into development. It was based around SaltStack – our tool of choice for configuration management. The new tool worked really well. We quickly pivoted to create a version that uses SaltStack as a library and doesn’t require Salt to be installed on the target system.

It is composed of a few different components:

  1. Nova – This is the audit piece of Hubble. It uses a set of user-defined profiles to audit against security standards, such as CIS (Center for Internet Security) standards. It returns successes and failures as well as a compliance percentage for the system.
  2. Nebula – This is the information-gathering piece of Hubble. It primarily uses the open source project osquery ( to collect all sorts of raw information from the systems which we can then use to search for patterns, vulnerabilities, and attacks.
  3. Pulsar – This is the file integrity monitoring piece of Hubble. On Linux it uses inotify to monitor file events on the system and send them wherever you specify.
  4. Quasar – Quasar is the reporting piece of Hubble. It is a series of modules which help you get the data to its final destination.

The project has grown at an incredible pace at Adobe. It is now deployed to almost every server across Adobe. We collect almost 5TB of data per day for our Experience Cloud solutions. Hubble has been a great help for us to find and fix issues that other tools may have otherwise missed.

But this is only the beginning! We want to continue to add more capabilities to the tool. We want to flesh out our CIS audit profiles, add more STIG (Security Technical Implementation Guides) and other audit profiles, and add more modules to gather different data. We also invite others to help contribute to the development of Hubblestack. The project is open sourced and you can join the project on GitHub.

Colton Myers
Software Engineer, Digital Marketing solutions

Adobe @ CS3STHML-2017

It was a great experience to present in CS3STHLM-2017 in Stockholm recently. My talk was on the topic ‘S in IoTs is for Security’ which focused on the causes and security concerns associated with the Internet of Things. The presentation showcased the demonstration of techniques to take over the most commonly used smart devices. The highlights of my talk were:

  1. Viewing real time DVR streaming without authentication
  2. Controlling a Smart BLE bulb
  3. Gaining shell in a well-known Smart Plug

The presentation also had few security recommendations which device manufacturers should keep in mind while designing and manufacturing the devices. My talk was followed by a panel discussion where I shared my insights on the biggest security challenges in IoT/IIoT.

The conference also gave me an opportunity to interact with attendees on various topics. There were sessions on quite advanced topics in the field of ICS such as securing the SCADA protocol for 21st century and using old school techniques to discover backdoors in modern devices. It was an overall great experience to represent Adobe in Stockholm as one of our security champions and experts.

Akriti Srivastava
Security Engineer

Adobe @ OWASP Bucharest 2017

October was National Cyber Security Awareness Month. Everywhere across the globe various events are held to further awareness and education in cyber security. In Bucharest, Romania, the 5th edition of the annual Bucharest OWASP AppSec conference was organized at Hotel Caro with over 300 participants. It was a 3-day conference with training days, Capture the Flag (CTF) contests, and educational presentations and panels. Industry practitioners shared their experiences, knowledge, and projections.

Adobe was a sponsor of this year’s conference and our security team from Romania attended and spoke at the conference. Members of our team participated in a “Women in AppSec” panel to discuss issues facing women in the field and possible activities to encourage more women to become cyber security professionals. The panel included both managers as well as practitioners in the field. Feedback about Adobe’s participation and our team’s talks on social media was very positive throughout the conference.

Adobe Security Team @ OWASP Bucharest 2017

There were two tracks this year at the conference, both containing a lot of industry-focused subjects. The first track included talks on the Application Security Lifecycle, N different strategies to automate OWASP ZAP, Security champions 2.0 discussing how to evolve security champion programs, Man-in-the-browser attacks, and How my SVM nailed your Malware. The second track covered the topics of Threat modelling, Testing for cyber resilience: tools & techniques for adversary attack/defense simulation, Less Known Web Application Vulnerabilities, Overview of TLS v1.3, a talk from our Adobe team on measures authentication systems can take to protect their users against credential stuffing, BDD Mobile security testing, and Securing the code and waiting for skilled hackers.

If you are in Romania next year for the OWASP conference, be ready to grab a coffee at the lunch break with the Adobe team to discuss our mutual security passions. We will also continue to highlight the efforts of our Romanian and other global security teams here on the Security@Adobe blog.

Cristina Nica
Security Engagement Specialist

ReproNow: Triage Assistant

Bug bounty programs (i.e.crowdsourced security) can bring a lot of benefits. Organizations are able to leverage talent from all over the world while bug hunters can get compensated for submitting bugs and improve their personal reputation within the security community. While all of this is amazing, as security engineers we still have to endure the most painful of this process – triaging.

The Problem

The amount of information required to understand a bug and reproduce it in today’s complex ecosystems is one the biggest challenges faced by security engineers. Providing so many pieces of information like user flows, videos, and requests is a challenge for bug bounty hunters. This is what we wanted to solve with ReproNow.

What is ReproNow?

ReproNow is an open source browser extension to help bug bounty hunters and engineers triage quicker and better. This tool captures your screen and the underlying network data and presents it as a video. It also provides a “Previewer” – an interactive UI to view the screen capture and the corresponding network requests in context. It also displays the headers and body of any “Request” call selected and presents the corresponding “Response” headers. Everything happens on the client side. As paranoid as we are as security engineers, the last thing to do is to trust and store vulnerabilities of various organizations on another server. So, everything in this tool is built on the client side.

This tool uses 3 main components:

  1. Screen Capture – Achieved by using chrome.screenCapture (which uses getUserMedia API)
  2. Network Capture – Achieved using getWebRequest API
  3. Export Screen + Network as MKV –  Achieved by storing the network information in attachment section of MKV using ffmpeg.js/ts-ebml on client.

For more technical details on how this works, refer to this blogpost.

ReproNow Previewer

ReproNow Previewer

Tool Features:

  • Capture screen and network data
  • Option to copy any request as “Curl” or “Raw”
  • Video on local storage
  • Previewer with a clean UI to have all information on one screen
  • Single file with network and screen
  • History on the extension shows the previous videos
  • Host Previewer locally or just go to
  • Lots of options to customize what you want to capture
  • Everything on client side
  • Open Source – Customize and change as you like


Go to and load the demo video.

Get It Now

ReproNow is available on the Chrome Store as an extension. The project “repo” is available on GitHub.


Lakshmi Sudheer
Security Researcher

It’s National Cyber Security Awareness Month: Learn How Adobe Security Participates and How You Can Get Involved

With email phishing scams, ransomware and more, the internet can sometimes feel like a dangerous place. But the good news is that we all can greatly reduce our exposure to cyber threats by being aware and following a few simple tips, like how to create stronger passwords and how to back up your data. Adobe participates in National Cyber Security Awareness Month (NCSAM) by promoting cyber-safety best practices to its employees. It’s important to raise awareness for this topic as it helps to better protect our customers and our employees while elevating our security posture at Adobe.

We host a number of internal, security-focused events. Security best practices are posted in all our office elevators and our internal intranet provides tips on how to protect against phishing attacks, create stronger passwords and teaches employees why it’s important to keep software up-to-date. At Adobe, there’s new security-related information or activities to look for every week of October.

During NCSAM, Adobe’s security and safety experts will discuss Internet safety with Adobe employees. Those who attend the sessions will learn how to be safer online, understand social engineering tactics and discover ways to utilize privacy controls in social media platforms. The Adobe Secure Software Engineering Team (ASSET) is sponsoring an internal bug bounty, in which employees compete for prizes by finding and reporting security vulnerabilities in an internal application.

In addition to our annual internal bug bounty and capture-the-flag competitions, our Adobe Secure Software Engineering Team (ASSET) in India will host a series of internal events in Noida and Bangalore to promote security awareness, all of these events leading up to a multi-event Tech Talk. This year’s Tech Talk is open to all Adobe employees, and will feature presentations on content security, intelligent browsers, protecting against third-party vulnerabilities and more.

At Adobe, we like to celebrate NCSAM and sharpen our security skills internally. What kind of activities do you participate in during the month to celebrate cyber security awareness? Tweet @AdobeSecurity with #CyberAware to join the discussion.

Also, last year Adobe conducted a survey and posted an infographic on cyber security awareness statistics; check it out!

For more information and how to get involved:


Julia Knecht
Manager, Security & Privacy Architecture
Digital Marketing

Adobe Document Cloud now SAFE-BioPharma® Certified

Adobe Document Cloud*, including Adobe Acrobat DC, Adobe Reader DC and Adobe Sign, is now SAFE-BioPharma® certified. Adobe Document Cloud solutions help Life Sciences companies protect critical data and documents, while complying with signature laws and regulations around the globe. With more than seven billion mobile devices in the world and cyber-threats at an all-time high, demand has surged for simple, more secure ways to provide options for trusted electronic signatures. The SAFE-BioPharma® certification helps Life Sciences companies provide global high-assurance identity trust for cyber-transactions that rely on service providers.

Working with the world’s most trusted digital IDs today, Adobe Sign enables desktop signing with over 200 providers from the European Union Trust List (EUTL) and Adobe Approved Trust List (AATL). Adobe Sign is compliant with SOC2-Type 2, ISO-27001, PCI-DSS, and HIPAA requirements and can be configured to comply with FERPA, GLBA, and FDA 21 CFR Part 11. Now, with SAFE-BioPharma® certification, Life Sciences and Pharmaceutical companies can use Adobe Document Cloud for patient consent forms, field service reports, lot traceability, supplier contracts and more, in any browser or on any mobile device with added confidence.

Over the past several years, Adobe has made significant investments across the company to pursue compliance with significant certifications, regulations and standards. These accomplishments for Adobe’s cloud services and solutions, such as Adobe Sign, allow us to provide our customers with assurance that their data and applications are more secure.

Abhi Pandit
Sr. Director of Risk Advisory and Assurance

*excludes PDF Services