Posts in Category "Uncategorized"

The Impact of Public Policy on Cybersecurity

Public policy has been joined at the hip with cybersecurity in some shape, form or fashion for a while now. Whether it’s been efforts to increase information sharing between businesses and government agencies, progress towards developing cybersecurity standards, or laws mandating disclosure of security incidents in a timely fashion, public policy has a clear impact on cybersecurity programs. People are paying closer attention to cybersecurity and the policies put in place to help keep information secure. As cybersecurity teams are constantly re-evaluating best practices, we wanted to gain a better understanding of how cybersecurity professionals view public policy changes.

We fielded a survey of more than 500 private and public-sector cybersecurity professionals to better understand if they think public policy impacts their jobs and perceptions on whether the industry is prepared for upcoming policy changes. Here’s what we learned:

  • Public policy impact on cybersecurity professionals’ roles: Nearly 90% of cybersecurity professionals said that public policy affected their jobs on a daily basis yet only 48% of cybersecurity professionals said that they follow cybersecurity policy issues very closely.
  • Lack of confidence around organization’s preparedness for upcoming changes: only 37% cybersecurity professionals surveyed felt their organizations were prepared for upcoming policy changes.
  • Government regulations have a positive impact on cybersecurity. Even more interesting, 86% agreed that government regulations have a positive impact on cybersecurity. This is contrary to the stereotypical belief that regulations are unwanted or a burden. While, 64% agreed their organizations spend too much time and budget on compliance, 92% agreed that the information security industry needs more common security standards/frameworks. While we found this intriguing, this didn’t surprise us. At Adobe, our teams also felt that we needed to streamline compliance and industry standards, so our security team developed the Adobe Common Controls Framework (CCF) – a framework which streamlined 1,000 requirements down to 200 security controls. We’ve heard from peers and customers this is a critical piece of the security and public policy puzzle, and as a result we “open-sourced” the framework to help other organizations simplify their own compliance standards.
  • Companies should be more proactive with sharing relevant resources for cybersecurity public policy changes. Regardless of the size of your company or organization, there are resources that can help cybersecurity professionals increase their awareness about public policy, and our survey results demonstrate that there is a greater need for cybersecurity professionals to stay informed and up to date on public policy changes that affect their day to day jobs. There are numerous trade organizations, non-profits and media outlets that track developments in the public policy space that specifically pertain to cybersecurity. Internally, your legal department would also be a good source of information, along with your government relations team if your organizations are large enough. Lastly, social media outlets can be a tremendous resource for following public policy events.

Our survey shows that cybersecurity professionals know that public policy is important, but that there’s a gap in following developments closely and the information they have about specific issues. See the full survey results here and an infographic of our survey highlights here. We’d love to hear your thoughts on how public policy impacts your day to day responsibilities – share your thoughts with us on Twitter @AdobeSecurity with the hashtag #AdobeSecuritySurvey.

Introducing HubbleStack

Hello! My name is Colton Myers and I am the co-creator and architect of HubbleStack, an open-source security compliance project written in Python. Christer Edwards, another member of our team, named the tool after the Hubble telescope. Just like the Hubble telescope gives us a window into the complexities of our universe, HubbleStack gives us a window into the complexities of our infrastructure!

To help facilitate faster compliance with security controls across Adobe, especially due to our many acquisitions in recent years, we found that we needed a tool to handle security auditing and compliance that scaled across many teams with varying infrastructure.

We tried a couple of third party vendors, but struggled to get the data we needed with the performance we required. Open source software is also our preference wherever possible.

Christer decided to get a proof of concept replacement into development. It was based around SaltStack – our tool of choice for configuration management. The new tool worked really well. We quickly pivoted to create a version that uses SaltStack as a library and doesn’t require Salt to be installed on the target system.

It is composed of a few different components:

  1. Nova – This is the audit piece of Hubble. It uses a set of user-defined profiles to audit against security standards, such as CIS (Center for Internet Security) standards. It returns successes and failures as well as a compliance percentage for the system.
  2. Nebula – This is the information-gathering piece of Hubble. It primarily uses the open source project osquery ( to collect all sorts of raw information from the systems which we can then use to search for patterns, vulnerabilities, and attacks.
  3. Pulsar – This is the file integrity monitoring piece of Hubble. On Linux it uses inotify to monitor file events on the system and send them wherever you specify.
  4. Quasar – Quasar is the reporting piece of Hubble. It is a series of modules which help you get the data to its final destination.

The project has grown at an incredible pace at Adobe. It is now deployed to almost every server across Adobe. We collect almost 5TB of data per day for our Experience Cloud solutions. Hubble has been a great help for us to find and fix issues that other tools may have otherwise missed.

But this is only the beginning! We want to continue to add more capabilities to the tool. We want to flesh out our CIS audit profiles, add more STIG (Security Technical Implementation Guides) and other audit profiles, and add more modules to gather different data. We also invite others to help contribute to the development of Hubblestack. The project is open sourced and you can join the project on GitHub.

Colton Myers
Software Engineer, Digital Marketing solutions

DefendCon – All Systems Go

We are excited to host DefendCon from Adobe –  the first security conference that combines the gender inclusive nature of a traditional women-in-tech conference with cutting-edge, quality technical content presented by a diverse array of speakers.

With DefendCon, we are creating a welcoming environment where attendees will not only learn about security best practices, but also gain insight on hot topics in the industry like artificial intelligence, IoT security, incident response and machine learning.

We’re all familiar with the stats around the growth of jobs in information security and the fact that women make up less than 11% of the cybersecurity workforce∗.  Historically, women also leave the IT workforce at almost twice the rate of men. In an industry with an increasing demand for qualified candidates, we need to attract, train and retain high performing individuals.  We know that diverse teams lead to higher performance and better results and we‘re continuing to build on our initiatives in diversity, security best practices, and security education to help creatively solve these issues.

The first ever DefendCon will take place this week on September 21-22 at the Adobe Seattle office.  We hope to provide women and men in the security industry with a quality experience to connect, collaborate and learn. We currently have speakers and participants from across the tech sector including LinkedIn, Netflix, Apple, Microsoft, Salesforce and Google.   From Adobe, our own Senior Security Researcher  Cindy Spiess, Security Researcher  Todd Baumeister, as well as Principal Scientist  Peleus Uhley  will be presenting.

With DefendCon, we’re helping the industry move faster than the status quo and addressing a serious need for more women in cybersecurity.  We look forward to building upon this inaugural effort in the months and years to come.

Check out our full list of speakers and sessions.  You can also follow the latest around the event  on Twitter @DefendCon.


Brad Arkin
Vice President and Chief Security Officer


Announcing DefendCon from Adobe

The rate of growth for jobs in information security is projected at 37% through 20221— much faster than the average for other occupations. Did you know that there will be a 2 million job shortfall for cybersecurity professionals by 20192 and women currently make up less than 11% of the cybersecurity workforce3?

Adobe believes that diverse teams lead to higher performance and better results and is continuing to build upon its initiatives in diversity, security best practices, and security education to help creatively solve these issues. We wanted to create a conference that combines the gender inclusive nature of a traditional women in tech conference with cutting-edge technical content, thus DefendCon was born. This conference aims to provide women and male allies in the security industry with a quality experience to connect, collaborate and learn. We currently have speakers and participants from across the tech sector including LinkedIn, Netflix, Microsoft, Google and more! Topics include machine learning and AI in security, IoT security, bug bounties, incident response, and container security among others.

Check out our exciting full list of speakers and sessions:

If you want to learn more about how you can help the gender diversity issue in cybersecurity, learn from industry leading talent, and meet the next generation of technical leaders please email the DefendCon team today. You can also follow the latest around the event on Twitter @DefendCon.

Tracie Martin
Technical Program Manager – Security



Lessons Learned from Improving Transport Layer Security (TLS) at Adobe

Transport Layer Security (TLS) is the foundation of security on the internet. As our team evolved from primarily consultative role to solve problems for the entire company, we chose TLS as one of the areas to improve. The goal of this blog post is to share the lessons we’ve learned from this project.

TLS primer

TLS is a commonly used protocol to secure communications between two entities. If a client is talking to a server over TLS, it expects the following:

  1. Confidentiality – The data between the client and the server is encrypted and a network eavesdropper should not be able to decipher the communication.
  2. Integrity – The data between the client and the server should not be modifiable by a network attacker.
  3. Authentication – In the most common case, the identity of the server is authenticated by the client during the establishment of the connection via certificates. You can also have 2-way authentication, but that is not commonly used.

Lessons learned

Here are the main lessons we learned:

Have a clearly defined scope

Instead of trying to boil the ocean, we decided to focus on around 100 domains belonging to our Creative Cloud, Document Cloud and Experience Cloud solutions. This helped us focus on these services first versus being drowned by the thousands of other Adobe domains.

Have clearly defined goals

TLS is a complicated protocol and the definition of a “good” TLS configuration keeps changing over time. We wanted a simple, easy to test, pass/fail criteria for all requirements on the endpoints in scope. We ended up choosing the following:

SSL Labs grade

SSL Labs does a great job of testing a TLS configuration and boiling it down to a grade. Grade ‘A’ was viewed as a pass and anything else was considered a fail. There might be some endpoints that had valid reasons to support certain ciphers that resulted in a lower grade. I will talk about that later in this post.

Apple Transport Security

Apple has a minimum bar for TLS configuration that all endpoints must pass if iOS apps are to connect to that endpoint. We reviewed this criteria and all the requirements were deemed sensible. We decided to make it a requirement for all endpoints, regardless if an endpoint was being accessed from an iOS app or not. We found a few corner cases where a configuration would get SSL Labs grade A and fail ATS (and vice-versa) that we resolved on a case-by-case basis.

HTTP Strict Transport Security

HSTS (HTTP Strict Transport Security) is a HTTP response header that informs compliant clients to always use HTTPS to connect to a website. It helps solve the problem of initial request being made over plain HTTP when a user types in the site without specifying the protocol and helps prevent the hijacking of connections. When a compliant client receives this header, it only uses HTTPS to make connections to this website for a max-age value set by the header. The max-age count is reset every time the client receives this header. You can read the details about HSTS in RFC 6797.

Complete automation of testing workflow

We wanted to have minimal human cost for these tests on an ongoing basis. This project allowed us to utilize our Security Automation Framework. Once the scans are setup and scheduled, they keep running daily and the results are passed on to us via email/slack/etc. After the initial push to get all the endpoints pass all the tests, it was very easy to catch any drift when we saw a failed test. Here is what these results looks like in the SAF UI:

Devil is in the Detail

From a high level it seems fairly straightforward to go about improving TLS configurations. However, it is a little more complicated when you get into the details. I wanted to talk a little bit about how we went about removing ciphers that were hampering the SSL Labs grade.

To understand the issues, you have to know a little bit about the TLS handshake. During the handshake, the client and the server decide on which cipher to use for the connection. The client sends the list of ciphers it supports in the client “hello” message of the handshake to the server. If server side preference is enabled, the cipher that is listed highest in the server preference and also supported by client is picked. In our case, the cipher that was causing the grade degradation was listed fairly high on the list. As a result, when we looked at the ciphers used for connections, this cipher was used in a significant percentage of the traffic. We didn’t want to just remove it because of the potential risk of dropping support for some customers without any notification. Therefore, we initially moved it to the bottom of the supported cipher list. This reduced the percentage of traffic using that cipher to a very small value. We were then able to identify that a partner integration was responsible to all the traffic for this cipher. We reached out to that partner and notified them to make appropriate changes before disabling that cipher. If you found this interesting, you might want to consider working for us on these projects.

Future work

In the future, we want to expand the scope of this project. We also want to expand the requirements for services that have achieved the requirements described in this post. One of the near-term goals is to get some of our domains added to the HSTS preload list. Another goal is to do more thorough monitoring of certificate transparency logs for better alerting for new certificates issued for Adobe domains. We have also been experimenting with HPKP. However, as with all new technologies, there are issues we must tackle to continue to ensure the best balance of security and experience for our customers.

Gurpartap Sandhu
Security Researcher

Adobe @ Security of Things World 2017

Dave Lenoe, Director of the Adobe Secure Software Engineering Team, will be speaking this week at Security of Things World 2017 in Berlin, Germany. Dave will be speaking about “Building in Seamless Security Updates – Lessons Learned for IoT Device Manufacturers” at 13:45 on Monday, June 12th. The session will discuss the importance of providing security updates quickly, making them easy to install for users, and best practices that can be built into IoT devices from the ground up. If you are attending Security of Things World this week in Berlin, we hope you are able to join Dave for this informative session.

Thanks to All Who Have Downloaded Open Source CCF

As announced at ISACA North America CACS this past Monday, May 1st, by our own Abhi Pandit, Adobe has made available an open source version of its Common Controls Framework (CCF). We have had significant interest in this unique project both before and after the event. We would like to thank all of those that have downloaded open source CCF to date. As always, we welcome  your feedback as you make use of the framework in your own compliance efforts. You can contact us directly at If you have not yet downloaded your copy, please visit our website to register and download today.

For our European customers and friends, Abhi will be speaking about open source CCF at the upcoming Euro CACS conference in Munich on Monday, May 29th, from 14:15 – 15:30. If you are planning to attend Euro CACS, we look forward to seeing you at the session. We will also have a booth in the expo area with more information about open source CCF and our other security and compliance initiatives across Adobe.

We look forward to seeing you there!

The Adobe Team at North America CACS 2017

Chris Parkerson
Sr. Campaign Manager

Adobe Releases Common Control Framework (CCF) as Open Source

The Common Control Framework (CCF) by Adobe is the cornerstone of our company-wide compliance strategy.  It is a comprehensive set of simple control requirements, rationalized from the alphabet soup of several different industry information security and privacy standards.  The CCF has enabled Adobe’s cloud products, services, platforms and operations to achieve compliance with various security certifications, standards, and regulations (SOC2, ISO, PCI, HIPAA, FedRAMP etc.).

This multi-year effort to implement the CCF across all business units was led by our Risk, Advisory and Assurance Services (RAAS) group.  As part of our ongoing efforts in knowledge sharing with the broader security community, we are releasing a generic version of CCF through a Creative Commons license to help drive ongoing innovation around compliance in the security industry.

Open source CCF contains a baseline set of control activities. These control activities are meant to assist organizations in meeting the requirements of ISO/IEC 27001, AICPA SOC Common Criteria, AICPA SOC Availability, and the security requirements of GLBA and FERPA. These common activities were identified and developed based on industry requirements. They have been adopted by Adobe product operations and engineering teams to achieve compliance with these standards. This information is only to be used as an illustrative example of common security controls that could be tailored to your organization’s security objectives.

We are excited to share the CCF with the security and compliance community. However, potential users should note that it is more than just a unified compliance framework. Our goal with CCF is to help the industry realize more significant value by adopting a more collaborative implementation strategy within their business. This will help enable more scalable security, compliance, and operations processes to ensure ongoing success.

We hope you will take the opportunity to download CCF today and begin using it in your organization. We welcome feedback and questions about the framework. You can contact us on the Open Source CCF team directly at

Abhi Pandit
Sr. Director, Risk Advisory and Assurance Services (RAAS)

Adobe @ CanSecWest 2017

It was another great year for the Adobe security team at CanSec West 2017 in beautiful Vancouver. CanSec West 2017 was an eclectic mix of federal employees, independent researchers and representatives of industry, brought together in one space, to hear about the latest exploits and defense strategies. As a first time attendee, I was impressed not just by the depth and breadth of the talks, but also by the incredibly inclusive community of security professionals that makes up the CanSec family. Adobe sponsor’s many conferences throughout the year, but the intimate feel of CanSec West is unique.

As the industry shifts towards a more cloud-centric playbook, hot topics such as virtualization exploits became a highlight of the conference.  Several presenters addressed the growing concern of virtualization security including the Marvel team, who gave an excellent presentation demonstrating the Hearthstone UAF and OOB vulnerabilities to exploit RPC calls in VMWare.   Additionally, the Qihoo 360 gear team, continued on their theme from last year on qemu exploitation. Demonstrating attacks that ranged from leveraging trusted input from vulnerable third party drivers to attacking shared libraries within qemu itself.

IoT also continued to be a hot topic of conversation with several talks describing both ends of the exploitation spectrum, such as the limited scale but potentially catastrophic effect of attacking automobile safety systems and the wide-scale DOS style attacks of a multitude of insecure devices banding together to form zombie armies. Jun Li, from the Unicorn team of Qihoo gave an informative talk on exploiting the CAN BUS in modern automobiles to compromise critical safety systems. On the other end of the attack spectrum Yuhao Song of GeekPwn Lab, & KEEN + Huiming Liu of  GeekPwn Lab & Tencent from  Xuanwu Lab presented on mobilizing millions of IoT devices can cause wide-scale devastation across core internet services. 

There were many talks on how the strategy for vulnerability prevention is changing from attempting to correct individual pieces of vulnerable code to implementing class-excluding mitigations that make 0-day exploitation time consuming and costlier. In a rare moment of agreement from attackers and defenders, both David Weston from Microsoft and Peng Qiu and Shefang Zhong, Qihoo 360 touted the improvements in Windows 10 architecture, such as Control Flow Guard, Code Integrity Guard and Arbitrary Code Guard that prevents entire classes of exploits. Similar to previous class busting preventions like ASLR, the main problems with wide-scale adoption of these new technologies will be a challenge as we continue to chase a multitude of third-party binaries as well as trying to ensure continuing compatibility with legacy software. As David Weston reiterated in his talk, even these improvements are not a panacea for security and there is still much work to be done from the industry to ensure a workable blend of security and usability.

Finally, my personal favorite presentation was presented by Chuanda Ding from TenCent, who gave a detailed analysis of the state of shared libraries in systems. In a world of modular software we are quickly becoming joined to each other in an intricate web of shared libraries that may not be fully understood either by the defenders or the by the consumers. Chuanda Ding cited Heartbleed as a benchmark example of what happens when a critical software bug is discovered in a widely used common library. As defenders and creators of software this is often one of the most complex issues we deal with. As code we move to a more interwoven software landscape and software offerings increase, it becomes harder to identify where shared third-party code exists, at what versions it exists and how to effectively patch them all when a vulnerability arises. I cannot understate how much I loved his last chart on shared libraries, you should check it and the rest of the great talks out on the  Cansec West slideshare.  Also be sure to catch our next blog post on the results of the Pwn2Own contest.

Tracie Martin
Security Technical Program Manager

SOC 2-Type 2 (Security & Availability) and ISO 27001:2013 Compliance Across All Adobe Enterprise Clouds

We are pleased to report that Adobe has achieved SOC 2 – Type 2 (Security & Availability) and ISO 27001:2013 certifications for enterprise products within Adobe’s cloud offerings:

  • Adobe Marketing Cloud*
  • Adobe Document Cloud (incl. Adobe Sign)
  • Adobe Creative Cloud for enterprise
  • Adobe Managed Services*
    • Adobe Experience Manager Managed Services
    • Adobe Connect Managed Services
  • Adobe Captivate Prime
*(Excludes recent acquisitions including Livefyre and TubeMogul)

The criteria for these certifications have been an important part of the Common Controls Framework (CCF) by Adobe, a consolidated set of controls to allow Adobe teams supporting Adobe’s enterprise cloud offerings across the organization to meet the requirements of various industry information security and privacy standards.

As part of our ongoing commitment to help protect our customers and their data, and to help ensure that our standards effectively meet our customers’ expectations, we are constantly refining this framework based on industry requirement changes, customer asks, and internal feedback.

Following a number of requests from the security and compliance community, we are planning to publicly release an open source version of the CCF framework and guidance sometime in FY17 so that other companies may benefit from our experience.

Brad Arkin
Chief Security Officer