- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
CSO - The way IT security pros see it, Adobe is the monster they can't live with anymore. But they really can't live without it, either.
Users rely on Adobe software to create, edit and view a variety of rich media content. But for many security practitioners, frequent attacks against a range of security holes has become too much to take. In early February -- mere weeks after the company patched one critical flaw -- Adobe was forced to rush out another patch for its Reader and Acrobat software. The company also had to rush out a critical fix for Flash Player in February. At the start of the year, some security vendors openly predicted that Adobe would be the top target of attackers in 2010.
The company's security team has not taken the heat lying down. It has tried to use the blogosphere to stay in touch with customers regarding new flaws, attacks and fixes and has taken steps to improve the patch-installation process.
But for now at least, that's of little comfort to security pros like Christophe Veltsos, president of Prudent Security and keeper of the DrInfoSec.com site.
"I used to require that my students (at Minn. State U. Mankato) turn in their assignments in PDF format instead of Microsoft Word," he said, adding that in light of recent security problems, "I've switched back to Microsoft Word as it appears to be a safer alternative than PDF."
Not helping Adobe's image is that Steve Jobs has been slamming Adobe Flash, explaining to the press that it has no place in such Apple devices as the newly-unveiled iPad. Specifically, he called it a CPU hog and a magnet for security holes.
At this week's RSA security conference, Brad Arkin, director of product security and privacy at Adobe Systems, will spend a lot of time with Adobe customers, explaining what the company is doing to improve security. He sat down with CSOonline.com a couple days before the start of RSA to offer a preview of what he'll discuss.
CSO: Adobe has had to confront a lot of security holes of late, and a lot of security practitioners have been expressing concern. What will you be doing at RSA to calm their fears? Brad Arkin: We don't have any product announcements to make at RSA, but we'll be having a lot of meetings with customers and people from the media. Adobe is a member of the Software Assurance Forum for Excellence in Code (SAFECode) and I'm on the board, and we'll be having a meeting Monday. I'll also be speaking to groups and individuals at the various networking parties during the week. I'll be giving a lot of short talks to promote the security message we've been promoting for the past year. The biggest thing we're trying to achieve is transparency.
It seems like Adobe is taking the same level of heat Microsoft used to take in the days of Internet Explorer 6 and Windows 2000 and XP. How do you respond when people criticize Adobe for the flaws and attacks? Arkin: The point we try to make is that the threat landscape is evolving quite rapidly and we're doing everything possible to react to that and stay ahead of what's happening. We understand that the reason Adobe is such a big target for the bad guys is that it's so ubiquitous. Something like Reader or Flash player is installed on just about every single machine out there that's connected to the Internet. That means the bad guys don't have to work so hard because if they can find a problem to exploit it can be directed at every machine. As a result, every bad guy on Earth is looking for something to exploit in our software. One thing we can do to make our products less attractive to the bad guys is to regularly update and make sure as many people as possible are using the most updated versions -- and make it as easy as possible for them to do so.