Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. David Lenoe | Wendy Poland Bullseye on Your Back Life on the Adobe Product.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. David Lenoe | Wendy Poland Bullseye on Your Back Life on the Adobe Product."— Presentation transcript:

1 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. David Lenoe | Wendy Poland Bullseye on Your Back Life on the Adobe Product Security Incident Response Team

2 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Who Are You?  Software vendors?  Security researchers?  IT pros?  General schadenfreude fans?  Just here for the food? 2

3 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Who We Are  Wendy Poland, Security Response Program Manager  PSIRT = Product Security Incident Response Team  ASSET = Adobe Secure Software Engineering Team 3

4 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Who We Are  Dave Lenoe, Product Security Program Manager 4

5 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Who We Are  Brief PSIRT overview  We'll talk through a case study, and you'll see what we do in more detail. 5

6 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Ubiquity Brings Responsibility 98%+ of Desktops “I would never speculate on limit. Every time you speculate, you’re way too conservative.” - John Warnock, Adobe Founder ® Rich Feature Set + Broad Compatibility + Target of Attack =

7 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Adobe PSIRT Overview  Security researchers seem to be paying a TINY bit more attention to Adobe products now…. 7

8 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. What We’re Going to Talk About  Walk through a zero-day case study  Discuss lessons learned  Talk about what we're doing now  ASSET & PSIRT overview 8

9 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. What We Hope You’ll Get Out of this Talk  Learn from what happened to us  Learn about what Adobe is doing to protect customers 9

10 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Dedicated Security Resources ASSET  Supports ongoing secure software development  Conducts proactive security reviews  Defines and champions security product lifecycle  Performs incident analysis to drive further improvements PSIRT  Front-line responders to security incidents  Manages communications with security researchers  Communicates mitigations and patch schedules  Produces detailed security bulletins

11 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. PSIRT Workflow 11

12 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: : doc.Media.newPlayer Issue  doc.Media.newPlayer issue  CVE-2009-4324 12

13 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 1 13 12/14/2009 First Report Received 12/25/2009 Christmas 1/1/2010 New Year’s Day 1/12/2010

14 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 1 (cont.)  Day 1: 12/14/2009, 1:12 p.m. PST 14

15 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 1 (cont.)  Usually, we know about vulnerabilities found in the wild... (most exploits are of known, fixed issues).  This time we didn't.  Triage - is this a real issue? 15

16 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 1 (cont.)  Zero Day Meeting - Always fun to see this invite in your mailbox 16

17 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 1 (cont.)  Adobe Connect 17

18 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Exploit Demo  DEMO 18

19 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 1 (cont.)  Best Practice: Working with more partners and customers to get faster communication of possible issues / exploits  Yes, it‘s a zero-day - need to acknowledge publicly via PSIRT blog post 19

20 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Digression – ASSET Certification Program  Speaking a common language - importance of training (proactive steps for preparation of reactive steps) 20

21 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Digression – ASSET Certification Program 21

22 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Digression – ASSET Certification Program  DEMO 22

23 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.  Initiative for all Adobe products  Action plan defined and executed by security researchers  Each release furthers our security posture  80-point security plan for every product  Comprehensive training and certification on security for all engineers  Security best practices and intelligence program More Secure Products What We Have Done ® Executing Secure Product Lifecycle Executing Secure Product Lifecycle Creating a Culture of Security

24 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 1 (cont.)  Questions:  How wide is the exploitation?  Is there a workaround? Yes - JavaScript Blacklist  Is this something we already know about/fixed in the next version? No  Verify info and get it ready for publication  Best Practice: Partners are good, workarounds are better. 24

25 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 2 25 12/14/2009 First Report 12/15/2009 Security Advisory Released 12/25/2009 Christmas 1/1/2010 New Year’s Day 1/12/2010

26 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 2 (cont.)  Publish workaround via Security Advisory  When can we patch?  Zero-day branch vs. scheduled quarterly update 26

27 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 2 (cont.) 27

28 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 3 28 12/14/2009 First Report 12/15/2009 Security Advisory 12/16/2009 ASSET Blog Posted 12/25/2009 Christmas 1/1/2010 New Year’s Day 1/12/2010

29 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 3 (cont.) 29

30 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 4 30 12/14/2009 First Report 12/15/2009 Security Advisory 12/16/2009 ASSET Blog 12/17/2009 JS Blacklist Feedback 12/25/2009 Christmas 1/1/2010 New Year’s Day 1/12/2010

31 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Day 4 (cont.)  First use of JavaScript Blacklist workaround  Customer feedback on workaround 31

32 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Christmas Day 32 12/14/2009 First Report 12/15/2009 Security Advisory 12/16/2009 ASSET Blog 12/17/2009 JS Blacklist 12/25/2009 Christmas 1/1/2010 New Year’s Day 1/12/2010 12/17/2009 – 1/11/2010 Testing

33 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – Christmas Day (cont.)  We're not the only ones working over the holidays, unfortunately.  Customer emails, calls, etc. 33

34 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Digression - Working on PSIRT  The challenges...  Working over the holidays  The product teams don't particularly like to hear from us.  Some job perks...  More spam  Can't just walk into Adobe cafeterias unnoticed anymore  Mysterious file attachments  Arbitrary Facebook friend requests 34

35 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue – January 12, 2010 35 12/14/2009 First Report 12/15/2009 Security Advisory 12/16/2009 ASSET Blog 12/17/2009 JS Blacklist 12/25/2009 Christmas 1/1/2010 New Year’s Day 1/12/2010 Security Bulletin Released

36 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue –Security Bulletin Release  January 12, 2010 36

37 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Case Study: doc.Media.newPlayer Issue –Security Bulletin Release  Bulletin/patch are released  Press coverage  Getting patch distributed is huge focus - vast majority of exploits in the wild are against old versions 37

38 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. New Updater  Brief overview of Adobe Reader / Acrobat updater technology 38

39 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Communication - Transparency  Transparent communication  With customers  With researchers  With partners  With AV Companies  With the press, bloggers, among others...  Can't run away and hide - not effective 39

40 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. What’s Happening Today  Expansion of team - we're still hiring!  Secure Product Lifecycle (SPLC) overview/roadmaps  Executive/board support 40

41 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Where to Next? How to contact us:  PSIRT email (PSIRT@adobe.com)PSIRT@adobe.com  Web form (http://www.adobe.com/misc/securityform.html)http://www.adobe.com/misc/securityform.html 41

42 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Where to Next?  Where to send sympathy cards and flowers :) 42

43 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Where to Next? Where to find us:  PSIRT blog: http://blogs.adobe.com/psirt/http://blogs.adobe.com/psirt/  ASSET blog: http://blogs.adobe.com/asset/http://blogs.adobe.com/asset/  Security bulletin page: http://www.adobe.com/support/security/http://www.adobe.com/support/security/  Security portal: http://www.adobe.com/security/http://www.adobe.com/security/  Visiting conferences like this one! 43

44 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Q & A  No iPhone/iPad questions please! 44

45 © 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Download ppt "© 2010 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. David Lenoe | Wendy Poland Bullseye on Your Back Life on the Adobe Product."

Similar presentations

CRA-W Career Mentoring Workshop. What is networking? Making professional connections and using them wisely.

CRA-W Career Mentoring Workshop. What is networking? Making professional connections and using them wisely.
©2013 PROS, Inc. All rights reserved. Confidential and Proprietary. PROS Connect User Community Website and Support Portal Prepared by Christine Lambden.

©2013 PROS, Inc. All rights reserved. Confidential and Proprietary. PROS Connect User Community Website and Support Portal Prepared by Christine Lambden.
ATC Conference Call January 10, 2008 Thank you for joining the call. We will start the call shortly. Please enter * 6 to mute your line and # 6 to unmute.

ATC Conference Call January 10, 2008 Thank you for joining the call. We will start the call shortly. Please enter * 6 to mute your line and # 6 to unmute.
 Focus on these three ◦ Resources  TIME & MONEY  Constantly keeping an eye changes/trends ◦ Four Square ◦ Facebook Timeline ◦ Google+ ◦ Pinterest.

 Focus on these three ◦ Resources  TIME & MONEY  Constantly keeping an eye changes/trends ◦ Four Square ◦ Facebook Timeline ◦ Google+ ◦ Pinterest.
Communicating NTEU’s Legislative Agenda How to Reach Your Members.

Communicating NTEU’s Legislative Agenda How to Reach Your Members.
What you don’t know CAN hurt you!

What you don’t know CAN hurt you!
ClubRunner Connect. Communicate. Collaborate. ClubRunner and Rotary International Database Integration Introduction and Overview November 2010.

ClubRunner Connect. Communicate. Collaborate. ClubRunner and Rotary International Database Integration Introduction and Overview November 2010.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Chapter 3.1 Teams and Processes. 2 Programming Teams In the 1980s programmers developed the whole game (and did the art and sounds too!) Now programmers.

Chapter 3.1 Teams and Processes. 2 Programming Teams In the 1980s programmers developed the whole game (and did the art and sounds too!) Now programmers.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
How we build Redfin.com Matt Goyer Lead Product Manager.

How we build Redfin.com Matt Goyer Lead Product Manager.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Back to Start 1 of 10 Connect with a Mobile Device You can use your company’s Windows SBS computer network to extend your connectivity by using mobile.

Back to Start 1 of 10 Connect with a Mobile Device You can use your company’s Windows SBS computer network to extend your connectivity by using mobile.
Release Management and Rollout A very brief overview.

Release Management and Rollout A very brief overview.
Adriana Iordan Web Marketing Manager / Avangate Social Networking Media How the software authors should use it?

Adriana Iordan Web Marketing Manager / Avangate Social Networking Media How the software authors should use it?
ClubRunner Connect. Communicate. Collaborate. ClubRunner and Rotary International Database Integration Introduction and Overview Introduced: November 2010.

ClubRunner Connect. Communicate. Collaborate. ClubRunner and Rotary International Database Integration Introduction and Overview Introduced: November 2010.
Volume Licensing Service Center Overview Presentation V1.0 August 2007.

Volume Licensing Service Center Overview Presentation V1.0 August 2007.
How to make it easy for you customers to find and research you and your services!

How to make it easy for you customers to find and research you and your services!
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Michael Hankins. Overview  Areas PDFs are used  History of Adobe  Evolution of the PDF  Present Day Adobe Software  How the software has been adapted.

Michael Hankins. Overview  Areas PDFs are used  History of Adobe  Evolution of the PDF  Present Day Adobe Software  How the software has been adapted.

Similar presentations

Ads by Google