Security of hosted services is top priority for Adobe's first CSO

Strengthening the security of Adobe's internal infrastructure is another goal for new CSO Brad Arkin

Adobe Systems has appointed Brad Arkin, the company's senior director of security for products and services, to become its first CSO. With a mature product security program already in place, the top priorities for Adobe's new security chief are to strengthen the security of the company's hosted services and its internal infrastructure.

For the past several years, Arkin has overseen Adobe's software product security efforts as leader of the Adobe Secure Software Engineering Team (ASSET) and the Adobe Product Security Incident Response Team (PSIRT). During this time, Adobe Reader and Flash Player, two applications that are frequently targeted by attackers due to their large user base, have received significant security improvements including anti-exploitation mechanisms like sandboxing and silent automatic updates.

While the secure software engineering work will continue, Arkin's focus is strengthening the security of the company's hosted services, like the Adobe Creative Cloud and the Adobe Marketing Cloud.

"I think that our secure product lifecycle and the work we've been doing with our shrinkwrapped products is very mature," Arkin said. "We've been doing this for years now."

However, the company hasn't been doing hosted services for as long as it's been developing off-the-shelf software, "so we continue to enhance our monitoring and operation security in that area," Arkin said.

"Right now I am most focused on doing the things we can to protect our customers data," he said. "We're doing a lot of great work there already, but there's even more work that we have planned and we'll be doing and it's a never-ending process. This is something that's just part of running hosted services."

There's a security roadmap for hosted services and with every new release of code, which happens every three weeks, there's a new security feature or improvement being added or some code hardening being made in those services, Arkin said.

In addition to enhancing the security of its hosted services, the company also plans to focus on strengthening its IT infrastructure and high-value internal systems against attacks.

The bad guys are really creative in the types of attacks they use against companies connected to the Internet, Arkin said. "We're working with security vendors and others in the defender community to make sure that we're putting the robust defenses in place on our internal infrastructure."

The company has experienced sophisticated targeted attacks in the past, Arkin said. One example is the incident disclosed by Adobe in September 2012, when attackers managed to compromise one of the company's internal code-signing servers and used it to sign malware with an Adobe digital certificate, he said.

This type of attack, which targets the company's infrastructure and not the code it produces or its users, represents a potential risk that needs to be managed and addressed, Arkin said. "Defending our internal operations, as well as our external hosted services and the code that we're writing, are all in the scope of the responsibilities for what I'm working on."

From his new position, Arkin will oversee the work of the recently created Engineering Infrastructure Security Team, which maintains the company's software building, signing and release infrastructure, in addition to that of the ASSET and PSIRT groups. He will also oversee the Adobe Security Coordination Center, a group that coordinates both network and product security incident response activities across the company.

Adobe's efforts to strengthen the security of its software products, especially the widely used programs, has had a visible impact on the threat landscape in recent years. The number of exploits targeting Adobe Reader used in active attacks has decreased considerably, forcing the attackers to switch their focus to Oracle's Java and other widely used software. A zero-day -- previously unknown -- exploit for Adobe Reader X that was found in February was the first to bypass the program's sandbox mechanism since its release back in 2010.

Flash Player is now also sandboxed under Google Chrome, Mozilla Firefox and Internet Explorer 10 on Windows 8, making successful exploitation of Flash Player vulnerabilities much more difficult than in the past.

The silent auto-update option added to Flash Player and Reader and the work the company has done with platform partners like Microsoft, Apple, Mozilla and Google, has led to the majority of users upgrading to the latest and most secure versions of those products, Arkin said.

In the consumer market, only a small number of users are still using Adobe Reader 9 and less than 1 percent are running an older version that's no longer supported and not receiving security updates, Arkin said. Most enterprise environments have upgraded to Reader XI, yet "more people than I would like are still using version 9," Arkin said.

The company is being very aggressive to move people from Reader version 9 to version XI or at least X, especially since version 9 will reach end-of-life at the end of June, Arkin said. "We're using the update mechanism to push upgrades to the latest version and not just security updates for the installed version."

Ideally, the company would like people to use Reader XI because it offers the best level of security. Reader XI has a second sandboxing component known as Protected View, in addition to the one first introduced in Reader X, but unfortunately this feature is not turned on by default.

The reason why Reader XI is not shipped with Protected View enabled by default is that it breaks some workflows as the level of protection it offers is incompatible with screen readers or some other some common tasks like printing, Arkin said. With every update, the company is trying to solve some of the incompatibilities so that it can turn the feature on by default, Arkin said. However, people in highly targeted environments can still turn it on now and use various work-arounds to access the required functionality, he said.

As far as Flash Player is concerned, the immediate goal is to do more security testing and targeted code hardening in order to identify and fix potential flaws, Arkin said. Small changes are also being done to the ActionScript Virtual Machine 2 (AVM2) engine based on feedback from platform partners and people in the Chrome and IE 10 teams, in order to make it more robust against corrupt bytecode, he said.

The CSO title was needed at Adobe because the importance of cybersecurity in the world has increased, both from a technical point of view, with new types of attacks appearing, and also from a regulatory standpoint, with the new cybersecurity executive order in the U.S. and the cybersecurity strategy in the E.U., Arkin said.

"Creating a chief security officer position now is a way for us to communicate externally the scale of the work that we're doing on security internally," he said. "It also helps to convey the weight and serious nature of the issues and how Adobe is tackling them head on."

Join the CSO newsletter!

Error: Please check your email address.

Tags Adobe SystemssecuritysoftwareBrad Arkin

More about Adobe SystemsAdobe SystemsAppleCreativeCSOGoogleMicrosoftMozillaOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place