Adobe Owns Up To Security Issues

The discussion surrounding how to make software vendors accountable for hacked systems and data breaches due to security problems in their products is, at best, an effort in futility. As much as we'd like to have Microsoft, Oracle, and Adobe take responsibility for software vulnerabilities that have caused us headaches and cost us money, we are stuck in an endless loop of dependence on their products.My question: What is it going to take for vendors to focus as much on security as they do on the inclusion of new features and the emptying of our pockets?

Based on the announcement from Adobe on Wednesday (and what we've seen from Microsoft with efforts like the SDL in the past few years), it takes becoming the whipping boy of the IT security community to the point that even end users and the general public take notice. Adobe has suffered from a couple of zero-day vulnerabilities that immediately became a popular attack vector to both pen-testers and malicious attacker alike. Having received so much negative press for the vulnerabilities and time it took to get them patched, Adobe has realized the need to focus on software security.

Brad Arkin, Adobe's director of product security and privacy, posted an announcement on one of Adobe's blog that "since February, Adobe Reader and Acrobat engineers have been executing a major project focused on software security." Everything from their incident response procedures during a security update to the actual development has been reviewed. Accordingly, they company has chosen to focus on three particular areas: code hardening, incident response process improvements, and regular security updates.

Bravo! While we security professionals are likely to say, "It's about freaking time," I think it's a bold move to publicly announce it the way it did. Adobe took ownership of the security issues in its products and is going to actively make efforts to produce more security products. It has taken a lesson from Microsoft, which has been pushing its Secure Development Lifecycle (SDL) for years now, and has also benefited with much more secure products, such as IIS 7 and SQL Server 2008, compared to previous versions.

Let's not forget about the possibility of government regulation to help force companies to "do the right thing" in regard to security -- but hopefully it won't come to that. I'm personally hoping that Adobe's move is part of a trend we'll continue to see. I know...I can dream, right?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.