Accept defeat and change the battle plan, says Adobe security chief

Security professionals are good at lying to themselves that they are evenly matched with their adversaries, says Adobe CSO Brad Arkin

Information security professionals are good at lying to themselves that they are evenly matched with their adversaries, says Brad Arkin, chief security officer at Adobe.

“The best thing to do is to acknowledge when security strategies are not working,” Arkin told the Security Development Conference 2013 in San Francisco.

According to Arkin, it is often better to accept defeat and change tactics rather than following traditional wisdom and dogma.

He recommends information security professionals take a step back, identify what they are trying to do and evaluate if what they are doing is really getting them any closer to achieving that goal.

“If not, it is time to change tactics in a way that will enable you to apply limited resources in a more efficient way,” Arkin said.

“According to dogma, we make software more secure by finding and fixing vulnerabilities in code, but experience has shown that is a complete waste of time."

Read more about secure code development

Arkin backs up his assertion with the fact that Adobe Reader and Adobe Flash suffered one of their biggest series of zero-day attacks after extensive fuzz-testing and bug-fixing exercises.

In contrast, there was a dramatic drop in the number of attacks on Adobe Reader with the introduction of version 10.

“What changed from version 9 to 10 was the introduction of sandbox technology which made attacks possible only through multiple stages,” said Arkin.

The reason this strategy was effective where vulnerability reduction was not, he said, is that it increased the effort and cost required to carry out an attack.

“Attackers are economically rational; they will always seek to minimise the cost and effort of developing an exploit to take advantage of software vulnerabilities,” said Arkin.

Conversely, finding and fixing bugs is hugely expensive, but it will never be effective because there will always be vulnerabilities in code and attackers just have to find one to make it worthwhile.

Mitigations like sandboxing are more effective because they change the cost equation for the attacker. “By making an application a less attractive target, attackers can be diverted,” he said.

Arkin called on the developer community to focus on potential exploits and forget about fixing bugs and vulnerabilities. “Making it harder for attackers to exploit vulnerabilities is what works,” he said.

“If what you are doing is not working, step back, reframe the problem, and find a new and effective approach to achieve what you are trying to do,” he said.

Read more on Hackers and cybercrime prevention