Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

The multiple stages of developing secure software

image of Brad Arkin

3-Sep-2013 - The sandbox technique comes at the start of the design stage.

 At the requirement phase development teams perform threat modeling, careful not to generate huge amounts of paperwork.

“At the whiteboard level, you can talk about what you’re building, what can go wrong, and what you need to be worried about,” said Adobe senior director of product security and privacy Brad Arkin. “At the design phase we want to catch a problem, usually ambiguity. Sometimes we ask, ‘how are you going to take care of this situation?” and the answer is, ‘well, we haven’t thought about it’.”

Logic-based security flaws get put into the code when someone doesn’t think about the big picture.

At the development stage comes the chance to do implementation layer problems. You can have perfect design and requirements, but with a typo in the code you’ll have execution issues.

“We do some code reviews by hand, but usually we use tools that look at the code and spot problems for us,” Arkin said. “Sometimes we hire outside companies to look for problems. Or we look at ways to exercise the product.”

“We also do fuzz testing – a form of automating security testing. For example we create specially corrupted files to see if Reader opens them correctly or if it crashes. It exercises the code against bad input to see how it handles it.”

To ship the shrink-wrapped product or make it downloadable from a hosted service, Adobe stages the code that mimics production to see how it does, then deploys it to the actual production environment.

Now the operational team watches to ensure everything is going well.

“We use a lot of logging to keep an eye on what behaviors are happening,” said Arkin. “If a bad guy is doing something, we want to be able to detect it right away. We want to catch a flaw in the code that someone is trying to SQL inject. The luxury of hosted service is we have the chance to catch it – provided we’re paying close attention.”

The operational team looks for many things. Abuse is one – using legitimate functionality in an inappropriate way. For example, you can use Form Central to make it look like it’s from a bank. Adobe has a way to detect abuse and to respond to it.

Since the company also does a lot of image hosting, it must be careful that others don’t use it to host inappropriate images that violate laws or TOSAs.  

During the next phase of development the team is working on what comes next.  

“We also refresh the training materials,” Arkin said. “Security tactics never stand still, so we’re always stepping up the security IQ of the company.”

To avoid making product teams stop everything for a security review, development teams work alongside, together, so both teams do better work, have fewer reworks, and are in better positions when there’s a new advance or a better tactic to take advantage of.

At the center is community. At every phase of the work it’s doing, Adobe wants to spend time interacting with the community to take advantage of ideas.

“Even if we didn’t invent it, we want to find out about it, and bring it to bear inside our development process,” said Arkin. “So if the guys running gmail have identified a new trick, we can take advantage of their experience and get to work protecting against it right away. Sometimes we can eliminate the threat right away. We’re sharing actionable information with the outside world when we can, and not learning the same lesson the hard way.”

Security at Adobe has been improving and evolving over time and with each new acquisition.

“I’ve been here five years, and I still feel new,” Arkin said. “At the high level the steps are the same, but when you get into the details, it’s all changed.”