05:29 PM
Connect Directly

Adobe Calls For Defensive Approach In Security Research

Mitigation methods the emphasis at Adobe

CANCUN, MEXICO -- Kaspersky Security Analyst Summit 2012 -- Adobe Software's product security executive here today urged security researchers to consider focusing on coming up with defensive strategies for stopping attacks rather than just on finding new offensive attacks.

Brad Arkin, senior director of security for Adobe products and services, says Adobe's goal is not to address each and every vulnerability that's discovered in its software, but instead to build mitigations that drive up the cost of writing exploits: "It's how to drive up the cost [for attackers] to write exploits, versus making the [Adobe] software perfect," he said here on the first day of the Kaspersky Security Analyst Summit.

Offensive security research does the reverse, sometimes making it easier for potential attackers: Offensive research actually drives down the cost for attackers, he said. "The skill of writing something first is very high, but the cost to adapt a proven [attack] is a lot easier to do," Arkin said.

That doesn't mean offensive research isn't part of the equation, but there's a big need for new technologies to deflect today's advanced attacks, according to Arkin. Adobe has deployed sandboxing in the newest versions of its products, as well as Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). "ASLR, DEP ... and sandboxing are driving up the cost for the bad guys," he said.

Only about two dozen vulnerabilities in Adobe products during the past 24 months actually ended up with exploits, he says. "Finding a bug is fairly straightforward ... writing an exploit against it is a lot harder, and writing a reliable exploit that works 100 percent of the time is even harder," Arkin said.

Arkin said as a software vendor tasked with protecting and defending its products, new offensive methods make its job more difficult. Defensive research is a way to "make a difference" for software vendors, Arkin told the attendees, which include security researchers from Kaspersky and other firms. "Finding new offensive techniques honestly doesn't help us with anything," he said.

Recent data showed that the biggest jump in attacks against Adobe applications occurs after an attack method goes public or a Metasploit penetration-testing module is written, he said. "There's a heavy correlation between a broader release of information and more people getting attacked."

Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, agreed. "It's a trickle-down effect," he said. "It becomes mainstream."

Defensive research is essential, Schouwenberg said. "Offensive is going lower and lower [in the stack]. There's a lot of room for defensive strategies [for this]," he said.

Taking the approach of fixing every possible bug, many that aren't exploitable, can backfire. "When I look at how to defend our users or our technology, spinning our wheels on CVEs doesn't help anything," Arkin said. "We fixed thousands of bugs in Adobe 9, screwing up a lot of the code that should have stayed where it was."

Adobe since reallocated its investment to mitigations such as sandboxing, for example, rather than emphasizing just discovering and remedying bugs.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Alex H.
Alex H.,
User Rank: Apprentice
2/7/2012 | 8:39:49 PM
re: Adobe Calls For Defensive Approach In Security Research
Last week, Brad Arkin from Adobe urged security researchers to consider focusing on defensive strategies for stopping attacks, rather than just on finding new offensive attacks. It does not make any sense to me. ItGs not an either or. Adobe should be adding additional layers of security to their products as an offensive strategy. On the defensive side, they should minimize their product vulnerabilities. In reality, sophisticated attackers have already found the vulnerabilities and I believe it is our responsibility as software developers to provide inherently secure products, and in the cases where they are not, fix them effectively and move on. I blogged more about this approach today @http://blog.coresecurity.com/2012/02/... -- Alex Horan, CORE IMPACT Product Manager
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.