Posts tagged "SD Elements"

View of an Internship with ASSET

I technically joined the security community last year when I began my Master’s in Information Security at Carnegie Mellon University. I gained a lot of theoretical and practical knowledge from the program, but my internship with ASSET gave me a totally new perspective on how security in a large organization works. I worked on multiple projects over the summer in the beautiful city of San Francisco. I have outlined one of them below.

Adobe follows a Secure Product Lifecycle (SPLC).To cater to the large number of current and future Adobe products, the security guidance provided to the teams by ASSET needs to be scalable. Scalability requires automation, or else the number of security researchers and their time becomes a bottleneck. Security guidance is also intended to focus on the configuration of the projects. For example, a Web service written in Java that handles confidential information requires a very different set of guidelines to follow as compared to an Android application.

For such targeted guidance, we use a smart system called SD Elements. For SD Elements, I performed a gap-analysis on security recommendations of Android and iOS apps as well as on desktop and rich-client applications. I researched quite a bit in the process. Some of my sources included the CERT guidelines for securing applications, internal pen-test reports, and a lot of academic research papers and vendor reports. Adobe has now moved to cloud deployment for many of their products: Creative Cloud and Marketing Cloud are prime examples. To support this recent momentum, I also expanded the deployment phase in SD Elements which is a set of guidelines for DevOps teams to securely deploy and maintain their applications in the cloud.

During my internship, I worked with Mohit Kalra who was my manager and Karthik Raman, my mentor. They were always available to guide me whenever I got stuck on a problem and always gave me specific Adobe context. My other team-members were also very helpful and considerate throughout the internship and they always made me feel at home. As part of Adobe Be Involved month, I also got a chance to volunteer at Edgewood Center for Children and Families, which was a humbling experience. We played kickball with the kids and it was really great to see smiles on their faces.

Mayur blog post

Volunteer picture from Edgewood Center for Children and Families. (I’m the guy in bottom left.)

As a result of my internship at Adobe, I feel like I’ve really improved my technical knowledge and my understanding of how security works within an organization. Thanks, Adobe.

Mayur Sharma
Security Intern

Using Smart System to Scale and Target Proactive Security Guidance

One important step in the Adobe Secure Product Lifecyle is embedding security into product requirements and planning. To help with this effort, we’ve begun using a third-party tool called SD Elements.

ADO867-Security-SPLC_V1-live

SD Elements is a smart system that helps us scale our proactive security guidance by allowing us to define and recommend targeted security requirements to product teams across the company in an automated fashion. The tool enables us to provide more customized guidance to product owners than we could using a generic OWASP Top 10 or SANS Top 20 Controls for Internet Security list and it provides development teams with specific, actionable recommendations. We use this tool not only for our “light touch” product engagements, but to also provide our “heavy touch” engagements with the same level of consistent guidance as a foundation from which to work.

Another benefit of the tool is that it helps makes proactive security activities more measurable, which in turn helps demonstrate results which can be reported to upper management.

ASSET has worked with the third-party vendor Security Compass, to enhance SD Elements by providing feedback from “real world” usage of the product. The benefit to Adobe is that we get a more customized tool right off the shelf – beyond this, we’ve used the specialized features to tailor the product to fit our needs even more.

We employ many different tools and techniques with the SPLC and SD Elements is just one of those but we are starting to see success in the use of the product. It helps us make sure that product teams are adhering to a basic set of requirements and provides customized, actionable recommendations on top. For more information on how we use the tool within Adobe, please see the SD Elements Webcast.

If you’re interested in SD Elements you can check out their website.

Jim Hong
Group Technical Program Manager