Adobe recently held its Security Champion Summit at our headquarters in San Jose, CA. This in an internal event designed to bring together Security Champions and security-minded individuals from areas such as engineering, product management, marketing, sales, and research. Our Security Champions are members of our product teams that are passionate about security and have stepped up to lead the charge in security matters for their teams. I had the opportunity to attend this two-day event. While I am still relatively new to Adobe, I was extremely excited to network with other members of the security team and security champions representing teams from across the company, especially those who are as passionate about security as I am.

The first day opened with a welcome presentation by Brad Arkin, Adobe’s Chief Security Officer (CSO). Brad started by sharing an analogy between “Security assurance and security goodness of the products and services Adobe is building” compared to an individual’s “wellness, fitness, and health.” He then introduced his plan for 2020 which involves taking what Adobe teams currently have and bringing it to the next level using what he called an “Olympic training” style approach. He described this change by explaining how users will shift from having the flexibility of setting up container compute, to moving into our managed container infrastructure, aka the “Olympic training facility.”

Following the Keynote presentation on trends in security testing, was an interactive “Role of a Champion” panel. The panel was made up of three current Security Champions. They discussed their current role, driving factor for becoming a Security Champion, and what their security responsibilities included. Based on the number of questions from the audience, one could sense a great interest in others becoming Security Champions for their respective teams.

There were excellent talks throughout the day, but the one presentation I gained the most from was the “Who’s Who in the Security Team” by David Lenoe, Director of Product Security. For each facet of the overall security team, David briefly described what the team did, listed why other teams would contact them, provided examples of questions they might receive, and the team’s contact information. I work with the Sales team answering questionnaires around the security of our products and services. On occasion, my team needs to reach out to one of these teams to help find answers to questions we do not know.

On day two, attendees took one of three trainings – Threat Modeling Training, Cloud Security Training, and Kubernetes Security Training. While all three looked interesting, I opted for the Cloud Security training. The day was divided into two sections – AWS and Azure. In the AWS training, we practiced with services such as AWS IAM, EC2, Lambda, and VPCs. For many of the AWS labs, we were able to see how a malicious user could exploit misconfigured settings, and how those misconfigurations could be remediated. The Azure segment covered topics such as the attack chain, reconnaissance, Active Directory, storage security, and various demos such as brute force attacks and privilege escalation.

Overall, this event was enriching for me. I was able to meet many of the people I had only had the chance to interact with digitally in person. I feel I now have an enhanced understanding of the teams that make up the Adobe Security team. The work we do as an extended team helps contribute to the overall success at Adobe. Adobe believes its Security Champions program is key to ensuring that our engineering teams are constantly thinking about and implementing ways to improve the security of our solutions. Activities like this Summit are an important tool in helping to ensure the ongoing growth and success of the program.

Melissa Burns
Information Security Analyst

Major Initiatives, Secure Product Lifecycle (SPLC), Security Automation

Posted on 02-13-2020