RSA 2010: Can Adobe Stop the Hate?
Security pros are unhappy with Adobe Systems over recent flaws and attacks. Adobe Security Chief Brad Arkin on what the company is doing about it.
By Bill Brenner , Senior Editor
February 28, 2010 — CSO —
SAN FRANCISCO -- The way IT security pros see it, Adobe is the monster they can't live with anymore. But they really can't live without it, either.
Users rely on Adobe software to create, edit and view a variety of rich media content. But for many security practitioners, frequent attacks against a range of security holes has become too much to take. In early February -- mere weeks after the company patched one critical flaw -- Adobe was forced to rush out another patch for its Reader and Acrobat software. The company also had to rush out a critical fix for Flash Player in February. At the start of the year, some security vendors openly predicted that Adobe would be the top target of attackers in 2010.
The company's security team has not taken the heat lying down. It has tried to use the blogosphere to stay in touch with customers regarding new flaws, attacks and fixes and has taken steps to improve the patch-installation process.
But for now at least, that's of little comfort to security pros like Christophe Veltsos, president of Prudent Security and keeper of the DrInfoSec.com site.
"I used to require that my students (at Minn. State U. Mankato) turn in their assignments in PDF format instead of Microsoft Word," he said, adding that in light of recent security problems, "I've switched back to Microsoft Word as it appears to be a safer alternative than PDF."
Not helping Adobe's image is that Steve Jobs has been slamming Adobe Flash, explaining to the press that it has no place in such Apple devices as the newly-unveiled iPad. Specifically, he called it a CPU hog and a magnet for security holes.
At this week's RSA security conference, Brad Arkin, director of product security and privacy at Adobe Systems, will spend a lot of time with Adobe customers, explaining what the company is doing to improve security. He sat down with CSOonline.com a couple days before the start of RSA to offer a preview of what he'll discuss.
CSO: Adobe has had to confront a lot of security holes of late, and a lot of security practitioners have been expressing concern. What will you be doing at RSA to calm their fears?
Brad Arkin: We don't have any product announcements to make at RSA, but we'll be having a lot of meetings with customers and people from the media. Adobe is a member of the Software Assurance Forum for Excellence in Code (SAFECode) and I'm on the board, and we'll be having a meeting Monday. I'll also be speaking to groups and individuals at the various networking parties during the week. I'll be giving a lot of short talks to promote the security message we've been promoting for the past year. The biggest thing we're trying to achieve is transparency.