Q&A: Adobe's Brad Arkin on dealing with security

We spoke to Brad Arkin, Adobe's director for product security and privacy, about coping with security threats and future plans.

I'll walk you through how that worked out. It was about 10am, east coast time, on a Friday morning and a company contacted us, who we have a relationship with. They said we have seen this sample, it looks new, you might want to look into it.'

We took the sample and started working on it. We verified that this was a new problem and not a known bug that had impacted an old version. We said OK this is a zero-day, let's figure out where the flaw is and then figure out a response plan.'

We worked over the weekend to first identify the line of the code where the flaw was and develop a fix, test the fix to make sure it works, look around the code to see if there is anything similar that we need to fix, because we don't want to fix a problem and see that there is another one behind it.

So we did all of that work over the weekend and then once the code was set, the next step is getting the patch out to users. We have to test Flash Player inside a browser on top of a platform and there are 60 different combinations so it has to work on every single one.

On Monday we published the advisory saying we are aware of this issue and here is the schedule for the fix.' Then we continued to work on doing the patching.

On that Friday we finished testing Google Chrome on Windows, Linux and Mac and because Google Chrome has Flash Player bundled inside it we used a Chrome updater working with Google to push that patch out to users. So that came out Friday evening.

For a normal security update that is not an urgent situation we ship the patch for all platforms on the same day. This was a zero-day situation, we didn't want to delay getting a fix out and there is no benefit to users doing it all synchronised.

On the following Monday we were able to post the update for all users.

What was behind Adobe's decision to join the Microsoft Active Protections Program (MAPP) (a vulnerability information-sharing initiative)?

Microsoft launched the Active Protections Program publicly in 2008 and in early 2009 we started piloting different forms of information sharing with security vendors.

That pilot gave us a lot of feedback about how we could do the whole program. The feedback consistently was do more things like MAPP so we talked to Microsoft to learn about how they do MAPP and it made a lot of sense to just partner with Microsoft rather than reinvent the wheel.

The goal there, when we made announcement over the summer that we were publicly going to do that and started rolling information out through that chain this Fall, was rather than creating a second information channel to the security vendors, let's leverage something that is proven to work.

What have the benefits been of joining MAPP

It has been a positive step for us and it is something that is leveraging what we were doing around information sharing before. We are leveraging all the lessons learned that Microsoft has improved on in the last couple of years.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020