Adobe: We know we're hackers' favorite target
But it's making the right moves to shut the door on attackers, say experts
Computerworld - Adobe knows there's a target on its back. But it's OK with that.
"We're in the security spotlight right now," said Brad Arkin, Adobe's director for product security and privacy, in an interview this week. "There's no denying that the security community is really focused on ubiquitous third-party products like ours. We're cross-platform, on all these different kinds of devices, so yes, we're in the spotlight."
Arkin's right: Some Adobe software, especially the free Adobe Reader PDF viewer and the also-free Flash media player, are not only in the security spotlight but also in hackers' cross hairs.
According to Finnish antivirus company F-Secure, 61% of all targeted attacks -- ones purposefully aimed at specific individuals or businesses to break into company networks -- in the first two months of 2010 exploited a bug in Reader. Rival security firm McAfee, meanwhile, estimated that 28% of all exploit-carrying malware in the first quarter of this year leveraged a Reader vulnerability.
Arkin may not be happy that his company's software has become popular with the wrong crowd -- hackers, identity and information thieves, and other cybercriminals -- but he sees a silver lining.
"We're getting more bug reports than we were a year ago," Arkin said, referring to the information that security researchers submit to Adobe when they believe they've uncovered a software vulnerability. "That's a function of the fact that we have ubiquitous software and the complete attention from the security community. And that means there are a lot more eyeballs on us than on other software that does the same things [as Reader and Flash]."
And Arkin welcomes those eyeballs.
"We're thrilled when someone shares [vulnerability] information with us responsibly," he said, referring to bug reports submitted privately, thus giving a vendor time to patch the problem before news about it is released publicly. "That's one less potential vulnerability that could be used by the bad guys."
Adobe is doing more than waiting for bug reports, said Arkin, who pointed to the security moves the company has made in the past year.
Among those changes: an increased emphasis throughout the company on writing more-secure code, an improved update tool for Adobe Reader, faster response to zero-day vulnerability disclosures, and some new -- and upcoming -- security features within Reader.
Adobe now develops code under what it calls its Secure Product Lifecycle (SPLC), an approach similar to Microsoft's much-better-known Software Development Lifecycle (SDL), which involves several security-specific steps that programmers go through to make their software less likely to harbor bugs.
"The [SPLC] impact has been huge," said Arkin. "At this point, my central security team doesn't do any of the actual work. We just prod and evangelize throughout the company. Now the product [development] teams understand the motivations behind what we're asking for."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts