Brad Arkin on the state of Adobe security

The way IT security pros see it, Adobe is the monster they can't live with. But they really can't live without it, either. Users rely on Adobe software to create, edit and view a variety of rich media content. But for many security practitioners, frequent attacks against a range of security holes has become too much to take.  It's a reputation Brad Arkin -- Adobe's senior director of  security, standards, open source, and accessibility -- is acutely aware of.

Back in 2010, he addressed the issue in a Q&A I conducted with him. He said, among other things:

"The point we try to make is that the threat landscape is evolving quite rapidly and we're doing everything possible to react to that and stay ahead of what's happening. We understand that the reason Adobe is such a big target for the bad guys is that it's so ubiquitous. Something like Reader or Flash player is installed on just about every single machine out there that's connected to the Internet. That means the bad guys don't have to work so hard because if they can find a problem to exploit it can be directed at every machine. As a result, every bad guy on Earth is looking for something to exploit in our software. One thing we can do to make our products less attractive to the bad guys is to regularly update and make sure as many people as possible are using the most updated versions -- and make it as easy as possible for them to do so."

He also played up the fact that he's on the board for SAFEcode, an organization dedicated to working security into products from the beginning with more tightly-written code.

I touched base with Arkin a couple weeks ago to see how Adobe security is progressing, and he again mentioned SAFEcode. This time, he talked about how that organization has contributed directly toward Adobe's improvements.

"SAFEcode gives us the chance to talk to peers who are having different challenges," he said. "We’re all central security teams working with widely distributed development teams. The value with us being able to interact with peers from other companies like Microsoft is huge. SIEMENS is the newest SAFEcode member and they are dealing with a lot of the stuff Adobe and Microsoft have had to dealt with."

At Adobe, a huge focus has been getting users updated to the latest, most secure versions of its products.

"We've been putting a lot of incremental improvements into Reader but adoption wasn’t as high as we needed it to be," he said. "In April 2010 we turned on our auto-updater and that's increased deployment significantly. In June 2011 we changed the default setting from semi-auto to silent auto. Users need the update but if asked they won’t want to be bothered. So the goal was to make it so they wouldn’t have to be bothered."

On other fronts, in February 2012 Adobe shipped the background updater for the Windows-based Flash Player and a couple weeks ago the same was done for the Mac version.

Looking at the big picture, he said:

"Educated watchers know security has been a huge focus for us. In 2009-10 we saw a lot of attacks. We studied the bad guy’s techniques and made changes to Reader 8 and 9 as a result.. We’ve gotten hundreds of millions updated to version 10 since it’s release. We were making improvements to older versions which helped, but it was a real cat and mouse game. On version 10 we have our version of sandboxing.

"The bad guys attacked Flash a lot in 2010-11. The security update response time for Flash is now an average of 5 days. We are adapting the Reader auto update strategy to Flash player, but it's a little more difficult because of the different ways Flash communicates with the different browsers. We can’t do this just once like we could with Reader."

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies