Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Developing security minded software developers

image of Brad Arkin

23-Apr-2013 - While the roots of the Adobe software security program were planted

officially in Macromedia in 2004, after 30 years in business Adobe knows the path towards software security starts with a hiree. That person determines what process makes sense, and what steps are to be taken.

Pretty much any big company that develops software tinkers with the steps necessary to secure its products. Microsoft has its Secure Development Lifecycle and Adobe has its Secure Product Lifecycle.  

“We don’t have ‘a black and white, ‘thou shalt do this no exceptions’ process,” said Brad Arkin, senior director of product security and privacy at Adobe.

“It’s understood it’s a process of give and take, to work with the product team to map the abilities. We don’t give them a free pass... we acknowledge that certain Adobe products are at greater risk than others. We spend time assessing the risk level, and based on that we might spend more time on certain activities.”

When the team is building anything that is very popular and will be an attractive target for the bad guys, then much more thought goes into planning.

The team determines the risk profile – low, medium, high, very high – and works with the management team to ensure a minimum threshold of security IQ. Usually the teams want to do the assessment, because they want to learn, and security is a sexy topic.

“We have a belt model of security for the code writing and testing members – at the bottom layer is white belt,” Arkin said. “And we want everyone in the company to have a white belt. Next is the green belt, which takes twice the work as a white belt. We want at least one person per area to have a green belt, and sometimes a greater percentage, depending on the project.”

The training is CBT, with 8 or 10 hours of study followed by a quiz on each module... white takes 10 hours, green requires another 8.
The brown belt is project based, similar to a Masters thesis. It takes at least six months, and there are few brown belts, so it means something to get one.

“We have a party, and sometimes award a 3ft x 5ft certificate and make them carry it around,” said Arkin. “A black belt we want to take at least two years. There aren’t very many. Achieving that goes right at the top of the resume, and it’s something to be proud of. The training tells us we’ve got a security-savvy, educated team. The more secure the product, the more security knowledge the team has.”