Q&A: Adobe's Brad Arkin on dealing with security

We spoke to Brad Arkin, Adobe's director for product security and privacy, about coping with security threats and future plans.

I'll walk you through how that worked out. It was about 10am, east coast time, on a Friday morning and a company contacted us, who we have a relationship with. They said we have seen this sample, it looks new, you might want to look into it.'

We took the sample and started working on it. We verified that this was a new problem and not a known bug that had impacted an old version. We said OK this is a zero-day, let's figure out where the flaw is and then figure out a response plan.'

We worked over the weekend to first identify the line of the code where the flaw was and develop a fix, test the fix to make sure it works, look around the code to see if there is anything similar that we need to fix, because we don't want to fix a problem and see that there is another one behind it.

So we did all of that work over the weekend and then once the code was set, the next step is getting the patch out to users. We have to test Flash Player inside a browser on top of a platform and there are 60 different combinations so it has to work on every single one.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

On Monday we published the advisory saying we are aware of this issue and here is the schedule for the fix.' Then we continued to work on doing the patching.

On that Friday we finished testing Google Chrome on Windows, Linux and Mac and because Google Chrome has Flash Player bundled inside it we used a Chrome updater working with Google to push that patch out to users. So that came out Friday evening.

For a normal security update that is not an urgent situation we ship the patch for all platforms on the same day. This was a zero-day situation, we didn't want to delay getting a fix out and there is no benefit to users doing it all synchronised.

On the following Monday we were able to post the update for all users.

What was behind Adobe's decision to join the Microsoft Active Protections Program (MAPP) (a vulnerability information-sharing initiative)?

Microsoft launched the Active Protections Program publicly in 2008 and in early 2009 we started piloting different forms of information sharing with security vendors.

Advertisement - Article continues below

That pilot gave us a lot of feedback about how we could do the whole program. The feedback consistently was do more things like MAPP so we talked to Microsoft to learn about how they do MAPP and it made a lot of sense to just partner with Microsoft rather than reinvent the wheel.

The goal there, when we made announcement over the summer that we were publicly going to do that and started rolling information out through that chain this Fall, was rather than creating a second information channel to the security vendors, let's leverage something that is proven to work.

What have the benefits been of joining MAPP

It has been a positive step for us and it is something that is leveraging what we were doing around information sharing before. We are leveraging all the lessons learned that Microsoft has improved on in the last couple of years.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020