Posts in Category "Uncategorized"

SOC 2-Type 2 (Security & Availability) and ISO 27001:2013 Compliance Across All Adobe Enterprise Clouds

We are pleased to report that Adobe has achieved SOC 2 – Type 2 (Security & Availability) and ISO 27001:2013 certifications for enterprise products within Adobe’s cloud offerings:

  • Adobe Marketing Cloud*
  • Adobe Document Cloud
  • Adobe Creative Cloud for enterprise
  • Adobe Managed Services*
    • Adobe Experience Manager Managed Services
    • Adobe Connect Managed Services
  • Adobe Captivate Prime
*(Excludes recent acquisitions including Livefyre and TubeMogul)

The criteria for these certifications have been an important part of the Common Controls Framework (CCF) by Adobe, a consolidated set of controls to allow Adobe teams supporting Adobe’s enterprise cloud offerings across the organization to meet the requirements of various industry information security and privacy standards.

As part of our ongoing commitment to help protect our customers and their data, and to help ensure that our standards effectively meet our customers’ expectations, we are constantly refining this framework based on industry requirement changes, customer asks, and internal feedback.

Following a number of requests from the security and compliance community, we are planning to publicly release an open source version of the CCF framework and guidance sometime in FY17 so that other companies may benefit from our experience.

Brad Arkin
Chief Security Officer

IT Asset Management: A Key in a Consistent Security Program

IT Asset Management (ITAM) is the complete and accurate inventory, ownership and governance of IT assets. ITAM is an essential and often required stipulation of an organization’s ability to implement baseline security practices and become compliant with rigorous industry standards. As IT continues to transform, organizations face the challenge of maintaining an accurate inventory of IT assets that consist of both physical and virtual devices, as well as static and dynamic spin-up-spin-down cloud infrastructures.

The absence of ITAM can result in a lack of asset governance and inaccurate inventory. Without a formalized process, companies might unknowingly be exposed to insecure assets that are open to exploitation. On the contrary, proper ITAM helps enable organizations to leverage a centralized and accurate record of inventory in which security measures can be implemented and applied consistently across the organization’s environment.

Risks Without ITAM

Assets that are not inventoried and tracked in an ITAM program present a very real and critical risk to the business. Unknown assets seldom have an appropriate owner identified and assigned. In essence, nobody within the organization is owning the responsibility to ensure that the unknown asset is sufficiently governed or secured. As a result, unknown assets can quickly fall out of sync with regulatory or compliance requirements leaving them vulnerable for exploitation.

In a world of constant patches and hotfixes, an unknown asset can become vulnerable after only a single missed update. Bad actors rarely attack the well-known and security hardened asset. It is far more common for a bad actor to patiently traverse the organization’s network, waiting to attack until they have identified an asset which the organization itself doesn’t know exists.

Benefits of ITAM

Before a company can sufficiently implement programs designed to protect its operational assets, it must first have the ability to identify and inventory those assets. Companies should put into place processes and controls to automate the inventorying of assets obtained via procurement and virtual machine provisioning. Assets can be inventoried and continuously tracked using a Configuration Management Database (CMDB). Each asset can be inventoried in the CMDB and assigned an owner, who is responsible for asset governance and maintenance until the decommission, or destruction, of the asset.

Processes must also be put into place to continuously monitor and update the CMDB inventory. One example of how Adobe monitors its CMDB is by leveraging operating security controls. For example, Adobe performs an analysis to determine if all assets sending logs to a corporate log server are known assets inventoried in the CMDB. If the asset is not inventoried in the CMDB, then the asset is categorized as an unknown asset. Once unknown assets are identified, further analysis is performed so that the asset can be added to the CMDB and an appropriate owner assigned.

At Adobe, we have created the Adobe Common Controls Framework (CCF), which is a set of control requirements which have been rationalized from the complex array of industry security, privacy and regulatory standards. CCF provides the necessary controls guidance to assist teams with asset management. ITAM helps provide Adobe internal, as well as third party external, auditors a centralized asset repository to leverage in order to gain reasonable assurance that security controls have been implemented and are operating effectively across the organization’s environment.

As described above, maintaining a complete and accurate ITAM in an organization of any size is no easy task. However, when implemented correctly, the benefits of ITAM allow organizations to consistently apply security controls across the operating environment, helping result in a reduced attack surface for potential bad actors. If organizations are not aware of where their assets are, then how can they reasonably know what assets they need to protect?

Matt Carroll
Sr. Analyst, Risk Advisory and Assurance Services (RAAS)

 

Working with Girls Who Code

I was lucky to grow up with a support system of teachers and family who encouraged me to pursue a career in STEM. My father was an engineer and as a little girl, I wanted to be just like him. So when it came time to decide what my major in undergrad would be, I had no doubt about choosing computer engineering. When I moved to Seattle, I met many girls who did not share the same experiences as me. One told me her family just didn’t believe girls could do math, while another told me teachers were never supportive and told her that girls didn’t do well in math and science. This was just unacceptable to me. I believe that all children, regardless of their gender, race, and background should be encouraged to pursue any field they want.

Girls Who Code is a non-profit organization with a mission to create programs that will inspire, educate, and equip girls with the computing skills to pursue 21st century opportunities. Girls Who Code found that by 2020, there will be 1.4 million jobs available in tech fields and US graduates are on track to fill 29% of those jobs – but only 3% of these will be women. In the 1980s, 37% of computer science graduates were women, but today it’s only around 18%. I work in cybersecurity where the percentage of women in the field is around 11%. These are very disappointing statistics, and I wanted to help change the situation. So when my manager approached me to help teach the Girls Who Code class for Adobe in Seattle, I jumped at the opportunity.

Adobe has partnered with Girls Who Code for three years to host summer immersion programs. Apart from providing classroom space, program managers and mentors, this summer, Adobe was the only Girls Who Code partner company that provided its own instructors, with four full-time, female employees teaching the coding classes.

During the months of July and August, I taught 20 high school girls, ages 15-18, the basics of computer science skills including Scratch, Python, Arduino programming, and web development. The program also taught leadership skills like self-confidence, self-advocacy and public speaking. Other Adobe employees organized field trips, speakers, and workshops and helped the girls with projects. Several Adobe women volunteered one hour per week to provide career mentorship and conduct technical interview workshops for the girls.

The last two weeks of the program, the girls picked an idea for a final project and took it from inception to launch. They came up with BIG ideas they felt passionate about from developing a safe places app, to teaching children arts and music, to helping students be more productive. They used technologies they had never used before including Jquery, integrating the Google and Facebook API, and using Mongo db to host everything on AWS. On graduation day, the girls presented their projects to their family, mentors and various Adobe employees.

I’m proud to work at Adobe, a company that follows through on its values. In addition to all the time and resources, the Adobe Foundation gave each of the girls a laptop and a one-year Creative Cloud subscription to continue their tech journey. I am thankful to my team,  who supported me in this effort and picked up the slack while I was teaching. In my own little way, I hope I have encouraged more young women to pursue STEM fields, including careers at Adobe and our peers in the tech industry.

Aparna Rangarajan
Sr. Technical Program Manager – Security

Come for Developer Day @ Adobe San Jose on September 12th

On September 12th, Adobe will be hosting a Developer Day hosted by SAFECode, the Cloud Security Alliance (CSA), and Adobe at Adobe’s San Jose headquarters. The agenda is packed with great content and experts from leading product security organizations. Please consider attending on Monday to have the opportunity to learn and network with peers across the industry.

Topics of the day include:

  • Software Assurance: Putting Industry Best Practices into Action
    • Driving Software Assurance Knowledge among Software Professionals
    • Fundamental Practices for Software Assurance
    • Third Party Components and Secure Software
  • Cloud + Dev == Security.Awesome
    • The power of cloud developer tools
    • What is DevSecOps
    • Security by design
  • Panel: Putting Software Assurance Theory into Practice

Leading industry experts from SAFECode and CSA will discuss some of the latest case studies in software assurance and new frontiers of software security. The panelists will be fielding questions and sharing experiences on the advantages organizations are gaining when leveraging the latest innovative security approaches to the development lifecycle.

For the full agenda, speakers and to register for this free event, please click here: https://www.eventbank.com/event/777/.

Look Back on 10 Years of Incident Response at Adobe @ FIRST 2016

This coming Tuesday, June 14th, from 1:00 – 2:30 p.m., join Tom Cignarella, Director of our Security Coordination Center (SCC), and Dave Lenoe, Director of Product Security, at the FIRST Conference in Seoul, Korea, for an insightful look back at the past 10 years of our work in incident response. Incident response at Adobe started off when the Product Security team was first formed working mostly on coordinated disclosure (called ‘responsible disclosure’ back then) of vulnerabilities from security researchers and partners. After a couple of years, relying on coordinated disclosure became more challenging as exploits in the wild against Adobe products began to proliferate. As the product and threat landscape evolved further, with hosted services entering into the mix, we began to see that vulnerability response and traditional network incident response were overlapping, and a new approach was required to tackle these changes.

Tom and Dave will talk about our journey, lessons we’ve learned along the way, detail our new approach now that we are a cloud services-based company, and where we see our incident response programs going in the future. You can also get a preview from Tom and Dave on this talk via a podcast from the FIRST team. If you are attending the FIRST Conference in Seoul, please join us or grab Tom or Dave in the hallway to share stories.

A Vendor Perspective on Crowd Sourced Penetration Tests

Bug bounties, also known as crowd sourced penetration tests, are becoming increasingly popular. New programs are announced every month. At NullCon this year, there was an entire track dedicated to the topic where vendors and researchers could meet. For a security researcher, there are a ton of options for participating ranging from the self-run programs, such as Google’s, to participating on consolidated platforms like BugCrowd and HackerOne. However, for the vendor, the path into bug bounties can be somewhat complex and the most significant benefits are not always obvious. Here are some tips on how to get more from your bug bounty.

Preparation

You should pick a team that has gone through several traditional penetration tests and where the ROI from those tests is trending down. If traditional consultants are still finding numerous bugs and architectural issues, your time and money would be better spent addressing the known issues and strengthening the architecture. Testing against a more mature development team can also benefit in other ways as you will soon see. A good crowd-sourced penetration test will involve both sides, researchers and development teams, being active in the bounty program.

If you have never done a bounty before, starting with short-term, private bounties will allow you to experience a few hiccups in a controlled situation. Be sure that you have planned out how to issue accounts to a large number of users and that the environment works when testing from outside your corporate environment. Try testing from home just to make sure it works.

Bounty guidelines

The large number of public bounties can serve as a baseline template for your test rules. As you review them, be sure to take note of their differences and consider what may have lead to those differences. A good set of bounty rules will be tailored to the service being tested. One of the less obvious components of a bounty announcement is how you describe your service to the tester. While the service may be extremely popular within your social circles, a researcher across the globe may have never heard of it. Therefore, be sure your bounty description provides an easy-to-understand description of what they are testing and perhaps a link to a short YouTube video that has your product pitch. The less time a researcher has to spend figuring out the goal of the service, the more time they can spend finding quality bugs.

Thematic issues

Penetration tests are typically scoped to a certain set of new features. However, crowd sourced penetration tests are often scoped across the entire service. Since traditional penetration tests are often focused on specific areas, they will not find issues in the connective code between features. Also, since the researchers are testing across the entire service, they are testing across the entire development team and not just within individual sprint teams. This may allow you to pick up on things that the overall team is consistently missing which can guide you as to where to focus energy going forward. For instance, if you have several authorization bugs, then is there a way to better consolidate authorization checking within the platform or is there a way to enable the quality team to better test these issues?

Critical bugs

Since the bounty hunters usually want to get top dollar for their efforts, they will often find more critical bugs. A critical bug is often the result of multiple issues that aren’t mentioned in the initial write-up. For instance, if they send you your password file, then there should be multiple questions beyond what type of injection was used in the attack. A few examples: Would egress filters on the network help? Do we need host monitoring solution to detect when the server process touches unexpected files? It is important to remember that these critical bugs aren’t just theoretical issues found through a code review. These vulnerabilities were successfully exploited issues found via black box testing of your infrastructure from a remote location.

Variant testing

If you have developers on hand during the bounty, then the developers can push the patch to the staging environment before the end of the program. You can then reach out to researcher and say, “Bet you can’t do that twice!”  You basically offer the researcher a separate bounty if they can find a variant or the same bug in a different API. It often isn’t difficult for the researcher to re-test something they have already tested. For the developer, they can get immediate feedback on the patch while the issue is still fresh in their minds. In my experiments at Adobe, losing that bet with the researcher is more valuable than the money it costs us because it typically identifies some broader issue with the platform or the process. This can be key for critical bugs.

Red Team/Blue Team

With a crowd sourced penetration test, you are likely testing against your staging environment or a dedicated server in order to minimize risk to your production network. A staging environment typically has low traffic volumes since only the product team is using it. However, during the testing period, you will have people from across the globe testing that environment and reporting the vulnerabilities that they are finding. For your response teams, this is an excellent opportunity to see what your logs captured about the attack. In theory, identifying the attack should be straight forward since the staging environment is low volume, you know what attack occurred, and you have a rough estimate of when the attack occurred. If you can’t find an attack in your logs under those conditions, then that is clear feedback about how your logging and monitoring can be improved. If you can save the logs until after the bounty has ended, this type of analysis can be done post-assessment if you don’t have the resources to play along real time.

A crowd-sourced penetration test can change up the routine you have established for finding issues. Like any change in routine, there can be a few challenges at first. However, when done well, they can provide a vendor with insights that they may have never obtained through the existing status quo. These are not a replacement for traditional consultants. Rather, the new insights into the platform can help you re-focus the consultants more effectively to get a higher ROI.

 

Peleus Uhley
Principal Scientist

Observations on CanSecWest 2016

Several members of Adobe’s product security team attended CanSecWest this year. The technical depth and breadth of the research presented in Vancouver this year yet again lived up to expectations.  Of the security conferences that Adobe sponsors throughout the year, CanSecWest consistently draws a critical mass from the security research community, with offensive, defensive and vendor communities well-represented.  Research presented this year ranged from discussions about advanced persistent threats (APTs), to vulnerabilities in software, to frameworks that assist in hardware security testing.

Trending Topics

Securing “the cloud” and the underlying virtualization technology is increasingly recognized as a core competency rather than an add-on.  A presentation by Qinghao Tang from Qihoo 360 demonstrated several security testing techniques for virtualization technology.  In particular, his work outlined a framework for fuzzing virtualization software which lead to the discovery of four critical vulnerabilities in QEMU emulator.

In a separate presentation, Shengping Wang (also from Qihoo 360) described a technique to escape a Docker container and run arbitrary code on the host system.  Specifically, the technique allowed an attacker to tamper with data structures storing kernel process descriptors to yield root access.

As the Internet of Things (IoT) continues along its explosive growth path, the community assembled at CanSecWest is among the more vocal warning of the security implications of billions of inter-connected devices.  Artem Chaykin of Positive Technologies described how almost every Android messaging app that uses Android Wear is vulnerable to message interception.  Moreover, malicious third party apps can be used to not only intercept messages, but also send arbitrary messages to everyone on the contact list of a device.

A separate talk by Song Li of OXID LLC described attacks on “smart” locks.  The attacks exploit pairing between a dedicated app and a bluetooth key-fob to achieve DoS (i.e., inability to unlock the door) and unintended unlocking.

Attributing cyber intrusions to specific actors or APTs can be controversial and subject to error.  This was the topic of an interesting talk by several researchers from Kaspersky Labs.  In particular, APTs have increased their use of deception tactics to confuse investigators attempting to assign attribution, and Kaspersky highlighted several examples of APTs deliberately planting misleading attributes in malware.

Continuing with the APT theme, Gadi Evron of Cymmetria discussed how the OPSEC of APTs have evolved over time to handle public disclosure of their activities.

Additional research

Building on recent advances in static and dynamic program analysis, Sophia D’Antoine of Trail of Bits described a practical technique for automated exploit generation.  The techniques described have inherent scalability issues, but we expect to see increased automation of certain aspects of exploit development.

In an exploration of graphics driver code, the Keen Labs Tencent team described fuzzing and code auditing strategies to identify bugs in Apple’s graphics drivers. Moreover, the team described an interesting method to gain reliable exploitation of a race condition that caused a double-free vulnerability on a doubly-linked list representation.

Guang Tang of Qihoo 360’s Marvel Team demonstrated how to exploit a vulnerability in the J8 javascript engine on a Google Nexus device to achieve remote code execution.  With code execution achieved, his team was then able to perform device actions such as installing arbitrary apps from the app store.  Importantly, they demonstrated that this vulnerability is still present in the Android PAC (Proxy Auto Config) service.

Finally, building on earlier work by Google Project Zero and other research, Chuanda Ding from Tencent Xuandu Lab presented research on abusing flaws in anti-virus software as a means to escape application sandboxes.

The exposure to bleeding edge research presented by subject matter security experts, and the opportunity to forge new relationships with the security research community sets CanSecWest apart from the security conferences Adobe attends throughout the year.  We hope to see you there next year.

Slides for these and other CanSecWest 2016 presentations should be posted on the CanSecWest site in a week or two.

Pieter Ockers
Sr. Security Program Manager

FedScoop Sits Down with our own Mike Mellor to Talk About Adobe’s Security Practices 

Adobe recently hosted the 7th annual Adobe Digital Government Assembly in Washington, DC. Our own Mike Mellor, Director of Security for Adobe Marketing Cloud, sat down for an interview with FedScoop online magazine to discuss Adobe’s core security initiatives and best practices. In this 2 minute interview, Mike talks about the Adobe Secure Product Lifecycle (SPLC) and other activities we use to help ensure secure application development practices. In addition, he talks about how we are working at the infrastructure and platform layer to meet industry security and privacy standards through the Adobe Common Control Framework (CCF). Finally, he discusses how we decide our major areas of focus for security to help meet our customers’ risk management needs.

You can watch the entire interview below:

Join Our Security Team at OWASP AppSec California 2016

Senior members of the Adobe corporate security team will be presenting at the upcoming OWASP AppSec California conference. This conference will be held this coming Monday through Wednesday, January 25 – 27th, in Santa Monica, CA. Adobe is a proud Premier corporate supporter of OWASP. If you are planning to attend this conference, we hope you will take the time to hear our team members in their sessions.

Leading off will be Peleus Uhley, our Lead Security Strategist. He will be presenting on “Design Approaches for Security Automation” on Tuesday, January 26, at 11:30 a.m. This presentation will discuss criteria for designing and evaluating security automation tools for your organization. Each of these tools have different goals and technologies that met their organizations needs. When it comes to your organization, how will you decide whether to build, buy, or borrow? What qualities make a good design for your environment? How do you ensure that your implementation will effectively enable teams versus creating more noise? Please  make sure to join Peleus for answers to these questions and more during his session.

Following Peleus our Director of Product Security Dave Lenoe will present on Wednesday, January 27th, at 2:00 p.m. about “10 Years of Working With the Community.” In this session Dave will talk about his over 10 years of experience working on incident response and product security sharing his perspective on the security landscape. He will also reflect on the evolution of response and application security and look at the ways that we all interact with each other now versus a decade ago. He’ll also look into the crystal ball just a bit to discuss what the future may bring.

We hope you will take the time during the conference to attend these sessions and meet our security team members.

Chris Parkerson
Senior Marketing Strategy Manager – Security

Community Collaboration Enhances Flash

With the December release of Flash Player, we introduced several new security enhancements. Just like the Flash Player mitigations we shipped earlier this year, many of these projects were the result of collaboration with the security community and our partners.

Adobe has spent the year working with Google and Microsoft on proactive mitigations. Some of the mitigations were minor tweaks to the environment: such as Google’s Project Zero helping us to add more heap randomization on Windows 7 or working with the Chrome team to tweak our use of the Pepper API for better sandboxing. There have also been a few larger scale collaborations.

For larger scale mitigations we tend to take a phased, iterative release approach. One of the advantages of this approach is that we can collect feedback to improve the design throughout implementation. Another advantage is that moving targets can increase the complexity of exploit development for attackers who depend on static environments for exploit reliability.

One example of a larger scale collaboration is our heap isolation work. This project initially started with a Project Zero code contribution to help isolate vectors. Based on the results of that release and discussions with the Microsoft research team, Adobe then expanded that code to cover ByteArrays. In last week’s release, Adobe deployed a rewrite of our memory manager to create the foundation for widespread heap isolation which we will build on, going forward. This change will limit the ability for attackers to effectively leverage use-after-free vulnerabilities for exploitation.

Another example of a larger scale mitigation this year was – with the assistance of Microsoft – our early adoption of Microsoft’s new Control Flow Guard (CFG) protection. Our first roll out of this mitigation was in late 2014 to help protect static code within Flash Player. In the first half of this year, we expanded our CFG usage to protect dynamic code generated by our Just-In-Time (JIT) compiler. In addition, Microsoft also worked with us to ensure that we could take advantage of the latest security controls for their new Edge browser.

Throughout 2015, vulnerability disclosure programs and the security community have been immensely helpful in identifying CVE’s. Approximately one-third of our reports this year were via Project Zero alone. Many of these were non-trivial as many of the reported bugs required significant manual research into the platform. With the help of the security community and partners like Microsoft and Google, Adobe has been able to introduce important new exploit mitigations into Flash Player and we are excited about what we are queuing up for next year’s improvements. Thank you to everyone who has contributed along the way.

Peleus Uhley
Principal Scientist