Posts tagged "SANS"

Applying the SANS Cybersecurity Engineering Graduate Certificate to Adobe’s Secure Product Lifecycle (part 1 of 2)

In the constantly changing world of product security it is critical for development teams to stay current on the current trends in cybersecurity. The Adobe Photoshop team evaluates additional training programs often to help complement Adobe’s ASSET Software Security Certification Program.  One of those is the SANS Cybersecurity Engineering Graduate Certificate Program.  This blog series discusses how we are leveraging the knowledge from this program to help improve product security for Adobe Photoshop.

The SANS Cybersecurity Engineering Graduate Certificate is a three course certificate that offers hand’s on practical security training – such as in the proper usage of static code analysis. A best practice of modern software development is to perform static code analysis early in the software development lifecycle before the code is released to quality engineering. On the Photoshop team we use static code analysis regularly in our continuous build environment. This analysis helps ensure that if there are any new defects introduced during development, they can be immediately fixed by the engineer who added them. This allows the quality engineering team to focus on automation, functional testing, usability testing and other aspects of overall quality instead of, for example, accidental NULL dereferences.

In addition to the course material and labs, graduate students are asked to write peer-reviewed research papers. I am primarily responsible for security of the Adobe Photoshop CC desktop application and I developed my research paper based upon my experiences. When the Heartbleed bug was disclosed in April 2014, I was curious to know why this type of bug wasn’t caught by static analysis tools. I chose to examine this question and how it applies to Photoshop.

The resulting paper, The Role of Static Analysis in Heartbleed, showed that Heartbleed wasn’t initially caught by static analysis tools. This is because one of the goals of static analysis is not to generate too many false positives that the engineers need to sift through. To solve this, we asked the vendor of one of the popular static analysis tools, Coverity, to add a new TAINTED_SCALAR checker which was general enough to not only detect Heartbleed, but also other potential byte-swap defects. Andy Chou’s blog post details how by looking at byte-swap operations specifically, and not by making the checker only specific to Heartbleed, other software development teams can benefit. This idea was proven correct when the Photoshop team applied the latest release of Coverity’s tools including our request to our codebase. We have identified and fixed a number of issues from this new TAINTED_SCALAR checker.

The value of additional training can only be fully realized if you can apply the knowledge to a set of problems that are found on the job. This is one of the advantages of the SANS program – the  practical application of applying this knowledge through a research paper makes the program more valuable to my work.

In part 2 of this blog series, I will examine how the NetWars platform was used to help the overall security profile of Adobe Photoshop.

Jeff Sass
Engineering Manager, Photoshop

NetWars: My Experience at the Minnesota Cyber Aces State Championship

Adobe has always been very supportive of professional development for its employees. It is a great way to work on projects that might not be directly related to one’s main responsibilities. While I am currently responsible for managing engineering and quality engineering on the Adobe Photoshop architecture team, I have been using my professional development time to research cybersecurity.

I recently learned about Cyber Aces, founded by Alan Paller, co-chair of the Secretary of Homeland Security Task Force on Cyberskills and founder and research director of the SANS (SysAdmin, Audit, Networking, and Security) Institute. The goal of Cyber Aces is to “fill a critical shortage of skilled cybersecurity professionals by growing the talent pool, discovering those with high potential, and offering a fast track to cybersecurity jobs.”

In order to qualify for the Cyber Aces Minnesota State Championship, I had to take a series of online quizzes in Networking, Operating Systems, and Systems Administration. Luckily, I scored high enough to be invited to participate for the championship title on a simulation called NetWars – a real-time capture-the-flag competition on March 15, 2014. NetWars was created by the folks at SANS as a way for participants to test their skills with hands-on exercises and penetration tests.

Before the competition, there was an ethics panel hosted by Dr. Kevin Gyolai, dean of STEM (science, engineering, and mathematics) at Inver Hills Community College where the competition took place. The panelists represented a range of disciplines from industry (UNISYS), to education (Inver Hills Community College), and government (FBI). They talked about the “insider threats” facing many organizations, how the US Cyber Command has hundreds of job openings that they cannot fill and how BYOD (bring your own device) is challenging university campus networks and corporations.

After the panel, we got down to business. Level 1 had a series of questions asking us to find flags by looking at the file system, and an interesting question about PDF. On a personal level, it was awesome to see a question about a PDF. I am not allowed to talk about the question as the other states haven’t completed the competition yet, but it was an excellent question.

I have earned the ASSET (Adobe Secure Software Engineering Team) brown belt certification and programs like Cyber Aces and NetWars will help me on my way to earning a black belt. Thank you to everyone at Cyber Aces for hosting a fantastic event.  I encourage anyone interested in developing their security skills to take a look at Cyber Aces and participate.

Jeff Sass
Engineering Manager, Photoshop