Adobe shifts to Microsoft patching process, incident response plan

By Robert Westervelt, News Editor 21 May 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Adobe Systems Inc. said it would revamp its incident response process and offer more support of security tools to lock down Adobe technologies.

The software maker announced sweeping changes to its patching processes Wednesday. Updates for Adobe Reader and Acrobat will be released quarterly beginning in December. The process will mirror Microsoft's monthly Patch Tuesday bulletin updates and be released on the same days each quarter, Brad Arkin, Adobe's director of product security and privacy wrote in a message on the company's Adobe Secure Software Engineering Team blog.

Arkin noted that Adobe said its engineers have been focused on revamping Adobe's software security processes since February when a critical image handling flaw was being actively exploited in the wild. Security researchers noted at the time that Adobe could have moved faster to issue an update to accommodate its large user base, despite ongoing attacks being limited and targeted.

"Everything from our security team's communications during an incident, to our security update process to the code itself has been carefully reviewed," Arkin said.

Adobe said its latest changes improve its incident response process, introducing more timely communications and faster turn-around times on patch releases. The software vendor will also try to issue simultaneous patches to address all affected versions.

Arkin said Adobe has also been improving its security development lifecycle, using Microsoft's Security Development Lifecycle as a blueprint for Adobe software. Adobe introduced threat modeling, automated and manual security code reviews and fuzzing for all its products. Arkin said the latest focus has been on hardening at-risk areas of the legacy code.

"Even in cases where no immediate vulnerability was identified, we have been strengthening input validation on a best-practice basis," he said.

The first signs of changes to Adobe's security process were first reported by SearchSecurity.com in December, when Adobe launched its Adobe Secure Software Engineering Team blog to increase visibility in the security community and get security researchers to report vulnerabilities directly to the software vendor. Adobe also improved its software code at the time, enabling secure compiler flags in Flash Player and Adobe Reader. Flags help ensure developers don't store static passwords, encryption keys or other sensitive data within the source code of a SWF file.

Tags: Secure Coding and Application Programming,  Platform and OS Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure Coding and Application Programming Open source software security tops commercial apps, study finds Improving software with the Building Security in Maturity Model (BSIMM) SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Metasploit Project acquired by vulnerability management firm Rapid7 Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary