Adobe continues to use crises to drive security change

Adobe continues to use crises to drive security change, according to the company’s director of product security

Adobe has continued to use crises to drive security change, according to the company’s director of product security David Lenoe.

“Following the breach in October 2013 it was a dark time to be on the security team at Adobe,” he told the Information Security Solutions Europe (ISSE) 2014 security conference in Brussels.

The breach, which compromised around 38 million customer payment card details and some source code for Photoshop, came just over a year after a breach of one of Adobe’s code-signing servers.

Adobe's chief security officer Brad Arkin previously said he used the 2012 breach to drive security change and improvement.

Lenoe said the 2013 breach was no different. Instead of security staff leaving or becoming discouraged, it helped forge stronger relationships across all security and product development teams.

“The response to the breach was to focus on the company as a whole to break down any remaining silos of activity, to focus on the security team as a whole, and to focus on individuals,” he said.

A positive organisational change was to give Arkin oversight of all areas and increase knowledge sharing and cross-training across the company.

As part of this process, Adobe introduced a security track to the company’s biennial engineering summit, regular cross-company hackfests, and making security a key focus in regular developer seminars.

Presentations by security team members from other companies including Facebook, Netflix and Google have featured in recent developer seminars.

“We have also tapped into Adobe’s email-driven culture to set up a security-related mailing list, which has grown to an active and interactive community having some awesome conversations,” said Lenoe.

Security training programme

To help support the goal of continually improving the effectiveness of the security team and raising security awareness across the company, Adobe runs a security training programme.

Security competency is expressed in martial arts terminology of white, green, brown and black belts.

To earn a white belt requires between two and eight hours of online training depending on the individual’s role, and the green belt requires between two and 11 hours of further online training.

However, the brown belt involves hundreds of hours of hands-on training through working on specific projects, such as developing specific fuzzing tools to check the security of software.

The security training programme has raised the security IQ across the company and helped build a brand for the security team

David Lenoe, Adobe

The black belt is also project-based, but typically involves relatively large security-related projects, such as adding sandboxing capabilities to Adobe Acrobat.

“The security training programme has raised the security IQ across the company and helped build a brand for the security team, as well as raising the profile of individuals in the team as subject-matter experts,” said Lenoe.

In addition to continuing security education and skills training, Adobe has seeked to expand and deepen relationships with security teams in other technology companies and security-related industry associations, such as the Open Web Application Security Project (Owasp), the Cloud Security Alliance (CSA), and software assurance forum SAFECode.

“The focus on individuals is aimed at helping members of the security team to develop breadth across a variety of security topics, as well as depth in one or two areas such as mobile security or static code analysis,” said Lenoe.

“Every individual has particular areas of interest, so it is important to figure out what they are and to tap into them to help maintain interest and motivation,” he said.

Attracting and retaining skilled security professionals

Lenoe also said organisations should develop strategies for attracting and retaining people with security skills by ensuring their security teams are treated with care.

“Official statistics suggest little more than half of organisations find it a major challenge to hire security professionals with the right skills, but I believe the real figure is much higher.

“Attracting and retaining people with the right skills is difficult because there are a lot of jobs out there, so it is vital to give individuals the chance to be effective.

“I believe security professionals are all idealist at heart, and if they do not feel they are making a difference, they will get discouraged and leave,” he said.

Read more on Data breach incident management and recovery