Q&A: Adobe's Brad Arkin on dealing with security

We spoke to Brad Arkin, Adobe's director for product security and privacy, about coping with security threats and future plans.

I'll walk you through how that worked out. It was about 10am, east coast time, on a Friday morning and a company contacted us, who we have a relationship with. They said we have seen this sample, it looks new, you might want to look into it.'

We took the sample and started working on it. We verified that this was a new problem and not a known bug that had impacted an old version. We said OK this is a zero-day, let's figure out where the flaw is and then figure out a response plan.'

We worked over the weekend to first identify the line of the code where the flaw was and develop a fix, test the fix to make sure it works, look around the code to see if there is anything similar that we need to fix, because we don't want to fix a problem and see that there is another one behind it.

So we did all of that work over the weekend and then once the code was set, the next step is getting the patch out to users. We have to test Flash Player inside a browser on top of a platform and there are 60 different combinations so it has to work on every single one.

Advertisement - Article continues below
Advertisement - Article continues below

On Monday we published the advisory saying we are aware of this issue and here is the schedule for the fix.' Then we continued to work on doing the patching.

On that Friday we finished testing Google Chrome on Windows, Linux and Mac and because Google Chrome has Flash Player bundled inside it we used a Chrome updater working with Google to push that patch out to users. So that came out Friday evening.

For a normal security update that is not an urgent situation we ship the patch for all platforms on the same day. This was a zero-day situation, we didn't want to delay getting a fix out and there is no benefit to users doing it all synchronised.

On the following Monday we were able to post the update for all users.

What was behind Adobe's decision to join the Microsoft Active Protections Program (MAPP) (a vulnerability information-sharing initiative)?

Microsoft launched the Active Protections Program publicly in 2008 and in early 2009 we started piloting different forms of information sharing with security vendors.

Advertisement - Article continues below

That pilot gave us a lot of feedback about how we could do the whole program. The feedback consistently was do more things like MAPP so we talked to Microsoft to learn about how they do MAPP and it made a lot of sense to just partner with Microsoft rather than reinvent the wheel.

The goal there, when we made announcement over the summer that we were publicly going to do that and started rolling information out through that chain this Fall, was rather than creating a second information channel to the security vendors, let's leverage something that is proven to work.

What have the benefits been of joining MAPP

It has been a positive step for us and it is something that is leveraging what we were doing around information sharing before. We are leveraging all the lessons learned that Microsoft has improved on in the last couple of years.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019