There was a time when Adobe Systems’ products, particularly its Flash and PDF Reader applications were constantly attacked and exploited with a seemingly endless stream of zero-day flaws. Those days are now mostly in the past, as Adobe has made security an embedded part of its development process and rebuilt Flash and Reader to be more resilient and secure.
Leading the charge for Adobe’s product security efforts is Chief Security Officer Brad Arkin. In a video interview with eWEEK, Arkin explains how he transformed his organization from being in constant damage-control mode, to now being on a more sane and stable, security footing.
“In 2009, we didn’t have a regular patch schedule; we also didn’t have a zero-day response process,” Arkin said. “So we spent a lot of energy building up the response process and we built a regular cadence so we can fix bugs.”
Adobe also spent a lot of time making its products significantly more secure. Arkin noted that the Adobe Reader 9 product had a tough time with lots of zero-day flaws. Then along came the Adobe Reader 10 product in November 2010. The Adobe Reader 10 release introduced a new sandbox capability that restricted the ability of code to run outside a protected area. It’s an effort that was extremely successful.
“From the time when we shipped Reader 9 until February of 2013, we didn’t see a single successful attack against Adobe Reader in the real world,” Arkin said. “So we went from attacks every 6 to 10 weeks to none for 27 months.”
Adobe shipped Reader 11 in October 2012, delivering a new sandbox implementation that provides even more protection. Arkin said that the first attack against Reader 10 was an attack against the old sandbox and not the new one. As such, users that update to the newer Reader release are not at risk.
The path from being constantly under attack to now being significantly more secure also has a lot to do with internal development practices. Arkin explained that security is not an afterthought, but is an integral part of the entire development process at Adobe.
“We’ve now reached cruising altitude on the runtime product side,” Arkin said. “It was a lot of work to get there, but now that we’re there, we study what is going on in the research community, and try and stay ahead of what people are attacking.”
Arkin added, “for Reader and Flash Player, we have been able to keep people safe over the past few years, and we just need to keep doing that.”
Watch the full video interview with Brad Arkin, Ccief security officer at Adobe, below:
Sean Michael Kerner is a senior editor at eWeek and InternetNews.com. Follow him on Twitter @TechJournalist