Author Archive: David Lenoe

Help Protect Your Devices: Update Your Software

When you receive a notification from your computer that it’s time to update your software, do you immediately accept it or do you delay your software update because you’re in the middle of something? If you’re like 64 percent of American, computer-owning adults, you recognize how critical software updates are and update your software immediately. Another 30 percent update their software depending on what the update is for. That’s 94 percent who recognize software updates and at least consider taking action when prompted.

We asked a nationally representative sample of ~2,000 computer-owning adults in the United States about their behaviors and knowledge when it comes to cybersecurity. Interestingly, attitudes toward updating software has changed for the better in the last five years. It seems consumers are more likely to update their software immediately, indicating that updates are becoming easier for consumers to install, and that computer-owning adults are better informed on how and why updating software is so important when trying to protect their identity and devices. While a majority update their software promptly on their computer, 83 percent are equally or more diligent in updating their smartphones than their computers. No matter what type of device you own – computer, tablet or smartphone – it’s critical to keep all your software up to date, as soon as the update is available.

Here are some additional insights from the survey on current practices regarding software updates and also some tips and reminders on why you should be updating your software – no matter the device – regularly.

Keep Your Software Up to Date (It’s Critical)

Across the industry, we continue to see how attackers are finding holes and exploiting software that is not up-to-date. In fact, attackers may target vulnerabilities for months – or even years – long after patches have been made available. Keeping your software up-to-date is a critical part of protecting your devices, online identity and information. The good news is that according to our survey results, 78 percent of consumers recognize the importance of keeping software up-to-date. Among those who typically update their software, 68 percent indicate that both security and crash control are top reasons for updating.

No matter the reason, keeping your software up to date should become a part of your regular routine;

  • Select automatic updates. When possible, select automatic updates for your software – that way, your devices will automatically update without having to add another item on your to do list.
  • Select notification reminders. If you prefer to know exactly what updates are being installed, you can set notifications to remind you to update the software yourself. Our survey results show that 1 in 3 people update on the first notification; interestingly, adults of the Baby Boomer generation are most likely to update their software after one prompt while those tech-savvy Millennials are more likely to need 3 to 5 notifications to update software. For all those not updating on the first prompt, we suggest selecting automatic software updates when possible.

Legitimate Software Updates

While a majority of our survey respondents noted that they frequently update their software, there was a very small group that indicated the reason for not updating their software is because they don’t trust that the update is legitimate. If you share this same concern, here are a few tips and reminders to help ensure you are downloading legitimate software:

  • Set automatic software updates. To help ensure that you are downloading legitimate software, when possible select for your software to be automatically updated. One less thing to do on your end that keeps your computer in check!
  • Check for the software update directly on the company website. When updates or patches to software are available, companies typically have updates on their website. If you’re unsure about a notification, double check on the software company’s website.
  • Be wary of notifications via email. Some companies may send notifications of software updates via email. Be cautious with these, as attackers often use fake email messages that may contain viruses that appear to be software updates. If you’re unsure about the software updates you receive as an email, check the company’s website to download the latest patches. And don’t fall victim to phishing ploys! See our blog post on tips for recognizing phishing emails.

Staying One Step Ahead

The technology industry is consistently moving forward and the task of updating software should continue to progress and be made as simple as possible for users. Especially since the majority of exploits appear to target software installations that are not up-to-date on the latest security updates.  Adobe strongly recommends that users install security updates as soon as they are available. Or better yet, select the option to allow updates automatically which will install updates automatically in the background without requiring further user action.

Dave Lenoe
Director, Adobe Secure Software Engineering Team (ASSET)

Survey Infographic (PDF download)

About the Survey (PDF download)

The Adobe Team Reigns Again at the Winja CTF Competition

Nishtha Behal from our corporate security team in Noida, India, was the winner of the recent Winja Capture the Flag (CTF) competition hosted at the NullCon Goa security conference. The Winja CTF this year comprised of a set of simulated hacking challenges relating to “Web Security”. The winning prize was a scholarship from The SANS Institute for security training courses. The competition saw great participation with almost 60 women coming together to challenge their knowledge of the security domain. The contest is organized as a set of rounds of increasing difficulty. It began with teams of two or three women solving the challenges. The first round comprised of multiple choice questions aimed at testing the participant’s knowledge in different areas of web application security. The second round comprised of six problems where each question comprised of a mini web application and the participant’s task was to identify the single most vulnerable snippet of the code and name the vulnerability that could be exploited. The final challenges pitted the members of winning teams against each other to determine the individual winner. We would like to congratulate Nishtha on this well-deserved win! This marks the second year in a row that some of our participating Adobe team members have won this competition.

Adobe is an ongoing proud supporter of events and activities encouraging women to pursue careers in cybersecurity. We are also sponsoring the upcoming Women in Cybersecurity conference March 31st to April 1st in Tucson, Arizona. Members of our security team will be there at the conference. If you are attending, please take the time to meet and network with them. We also work with and sponsor many other important programs to encourage more women to enter the technology field including Girls Who Code and the Executive Women’s Forum.

David Lenoe
Director, Product Security

Adobe Security Team Members Win Recent CTF Competition

Kriti and Abhiruchi from our corporate security team in Noida, India, were crowned the winners of the recent Winja Capture the Flag (CTF) competition hosted at the NullCon Goa security conference. Twelve (12) teams competed in this year’s contest. We would like to congratulate Kriti and Abhiruchi on their win. Adobe is an ongoing sponsor of the Nullcon conference. This competition was created by women to encourage their peers to enter the field of cybersecurity. It is a complete set of simulated web application security hacking challenges. Each challenge is separated into small tasks that can be solved individually by the competitors on each team. Each team works through the timed two (2) hour duration of the event in an attempt to attack and defend the computers and networks using prescribed tools and network structures.

Adobe is a proud supporter of events and activities encouraging women to pursue careers in cybersecurity. We are also sponsoring the upcoming Women in Cybersecurity conference March 31st to April 2nd in Dallas, Texas. Members of our security team will be there at the conference. If you are attending, please take the time to meet and network with them.

David Lenoe
Director, Product Security

SAFECode Goes to Washington

On a recent trip to Washington, DC, I had the opportunity to participate in a series of meetings with policymakers on Capitol Hill and in the Administration to discuss SAFECode’s  (Software Assurance Forum for Excellence in Code) role in and commitment to improving software security.  If you’re not familiar with SAFECode, I encourage you to visit the SAFECode website to learn more about the organization. At a high level, SAFECode advances effective software assurance methods, and identifies and promotes best practices for developing and delivering more secure and reliable software, hardware, and services in an industry-led effort.

The visit to DC was set up to promote some of the work being done across our industry to analyze, apply, and promote the best mix of software assurance technology, process, and training. Along with some of my colleagues from EMC and CA Technologies, we spent the beginning of the trip at the Software and Supply Chain Assurance Working Group, where we presented on the topic of software assurance assessment. The premise of our presentation was that there is no one-size-fits-all approach to software assurance, and that a focus on the supplier’s software assurance process is the right way to assess the maturity of an organization when it comes to software security.

One of the other important aspects we discussed with policymakers was SAFECode’s role in promoting the need for security education and training for developers. We are considering ways to support the expansion of software security education in university programs and plan to add new offerings to the SAFECode Security Engineering training curriculum, a free program aimed at helping those looking to create an in-house training program for their product development teams as well as individuals interested in enhancing their skills.

Overall, this was a very productive trip, and we look forward to working with policymakers as they tackle some of the toughest software security issues we are facing today.

David Lenoe, Director of Adobe Secure Software Engineering
SAFECode Board Member

Join Us at CSA EMEA Congress November 19 – 20!

Adobe will be participating again this year in the Cloud Security Alliance (CSA) EMEA Congress event in Rome, Italy, November 19 – 20, 2014. This conference attracts senior decision makers in IT Security from a wide range of industries and governmental organizations. This event focuses on regulatory, compliance, governance, and technical security issues facing both cloud service providers and users of cloud services. We’re excited to be back at what promises to be another great event this year.

I will be presenting a keynote session entitled “Security Roadmaps and Dashboards, Oh My!” on Thursday, November 20th, at 9:40 a.m. A “good” security roadmap is going to come from an ear-to-the-ground approach to security across all teams. It should also reflect current security industry trends. This is essential in creating a multi-faceted, balanced security roadmap that actually drives teams to build security into everything they do. How do you build and keep a solid, adaptable security roadmap in place? By focusing on the right metrics to measure success against the roadmap and developing meaningful dashboards to communicate progress and success to management. This presentation will discuss how Adobe tackled this problem across its very large product, service, and I.T. organization and provide insights into how you might tackle this problem in your own organization. I will also be available in our booth to answer questions after the session.

Please make sure to follow @AdobeSecurity on Twitter for the latest happenings during CSA EMEA Congress as we will be live tweeting during the event – look for the hashtag #AdobeCSA.


David Lenoe

Director, Product Security

SOURCE Boston Presentation

David Lenoe here. Wendy Poland and I will be presenting at SOURCE Boston this Thursday, April 22. Here’s a description of the session we’re presenting:
Bullseye on Your Back – Life on the Adobe Product Security Incident Response Team
Ubiquity can come at a price: Experience has shown that the more popular and widely deployed an application is with end-users, the more likely that application will become a target for attackers and good security researchers alike.
Available in 34 languages, on all major platforms, and just about every desktop/laptop, it’s no surprise that Adobe Reader has made the lists of top applications targeted in 2010.
Join this session, and hear David Lenoe and Wendy Poland, members of the Adobe Product Security Incident Response Team (PSIRT), talk about the challenges of having the bullseye on your back and the hard lessons learned in the process. In looking at a recent zero-day vulnerability, Dave and Wendy will offer insight into Adobe’s product security incident response, the process of acting on vulnerability reports, and the analysis that goes into developing a schedule for a fix.
Live and learn–you could be taking center stage before you know it!
Please stop by and say hi if you’re at SOURCE!

Adobe Reader Blog Post Regarding PDF “/Launch” Social Engineering Attack

Steve Gottwals has posted to the Adobe Reader Blog regarding Didier Stevens’ recent report on a social engineering attack which relies on the “/launch” functionality in the PDF specification. Mitigation information for consumers and administrators is included. You can find the full post here.

Adobe joins SAFECode

We’re happy to announce that Adobe has joined SAFECode (Software Assurance Forum for Excellence in Code), a non-profit organization focused on the advancement of effective software assurance methods. We’re looking forward to sharing information on our software security process, learning from other SAFECode members, and helping to drive industry-wide software security initiatives. More information can be found here, and a Q&A with Adobe’s Brad Arkin can be found on the SAFECode blog here.

Co-authored blog with Microsoft

We co-authored a blog post with Jeremy Dallman from Microsoft describing the collaboration between the security teams at both companies. Check it out here:

Adobe PSIRT Process

Following on Peleus’ ‘We Care’ post, we thought this would be a good place to give a more thorough description of Adobe’s Product Security Incident Response Team (or PSIRT) process. Much of the work ASSET does is on the proactive side, preventing software vulnerabilities before a product ships. Adobe’s PSIRT is the part of the ASSET organization that responds to security issues that are discovered by external security researchers, partners, customers and others after a product ships. Here’s a step-by-step description of our process; note that some of these steps overlap and happen in parallel:
Step 1

  • Adobe PSIRT receives information about security vulnerabilities through numerous channels, including (but not limited to):
    • Email from security researchers, partners, or customers, via our feedback web form or directly to
    • Public posting (Bugtraq, VulnDev, etc.)
    • Adobe Support
    • Internal notification (usually from Adobe’s Engineering teams, Quality Engineering teams, or ASSET)
  • Adobe PSIRT responds to the person who reported the issue (let’s call them the ‘researcher’), acknowledging the report and asking for a proof-of-concept file to demonstrate the vulnerability, if applicable.
  • Adobe PSIRT logs the issue in the Incident Response Database for tracking purposes. An Incident ID is automatically generated at this point, and passed along to the researcher.

Step 2

  • Adobe PSIRT sends the report to the relevant product team’s PSRT (Product Security Response Team) for verification. The product team’s PSRT includes a collection of Development, Quality and Program Managers, along with Developers, Quality Engineers and Product Managers.
  • ASSET helps reproduce the bug and assists the product team with severity analysis. If reproducible, the product team (or ASSET, if appropriate) logs an internal Adobe bug for the issue.

Step 3

  • The product team investigates the issue and develops a fix, or workaround. ASSET helps to verify the fix.
  • Any fix will be ported to all supported versions, as well as any version(s) currently under development.

Step 4

  • Adobe PSIRT responds back to the researcher, informing them that the issue has been reproduced and a fix is being investigated
  • As soon as possible, Adobe PSIRT communicates a proposed timeline for a patch to the researcher.
  • Adobe encourages the responsible disclosure of vulnerabilities in our products, so the researcher is asked to keep the vulnerability confidential until a fix is available. Our goal is to keep our customers as secure as possible, so we want to keep the vulnerability information from malicious hackers.

Step 5

  • The product team produces patches for all supported product versions, as quickly as possible.  Adobe PSIRT passes along any relevant status updates to the researcher and answers any questions they may have.
  • Adobe PSIRT produces a Security Bulletin draft for the issue. The Security Bulletin text is reviewed by internal Adobe stakeholders.

Step 6

  • Adobe PSIRT passes the patch to the researcher for verification, if possible.
  • Adobe PSIRT sends the Security Bulletin text to the External Security Researcher for review; the Security Bulletin includes an acknowledgment to the researcher thanking them for their help with the issue.
  • Adobe PSIRT works with MITRE Corporation to generate CVE identifiers for any relevant issues.

Step 7

  • The Security Bulletin is posted to along with the product patch(es).
  • Adobe PSIRT posts a link to the Security Bulletin on the PSIRT blog ( to inform customers who have subscribed to the RSS feed. Customers are encouraged to sign up for the RSS feed by clicking on the link towards the bottom on the right side of the landing page for the most timely notification for security issues.
  • Adobe PSIRT coordinates a notification e-mail, sent to customers who have signed up for bulletin notification e-mails.
  • Customers update their product installations, and the researcher posts their own advisory, if applicable, once the patch is available for customers.

And that is how our PSIRT process works! It can be a complicated process, and we really appreciate the help of all of the security researchers who have cooperated with us, and been patient with us over the years as we fine-tune it. If you have any questions about the process (or, of course, any security vulnerabilities to report to us), please don’t hesitate to contact