Following up on the announcement today that Adobe Systems Incorporated has joined SAFECode, I interviewed Brad Arkin, who will be serving as Adobe’s representative on SAFECode’s Board of Directors. Brad Arkin is the director of Product Security and Privacy at Adobe, where he is responsible for cross-company coordination and initiatives related to security and privacy. I asked Brad a few questions to learn a little about him, his role at Adobe, and why Adobe has joined SAFECode.


Q: What is your role at Adobe?
I manage two teams. One is the Adobe Secure Software Engineering Team, or ASSET. The other is the Product Security Incident Response Team, or PSIRT. The ASSET group coaches and evangelizes software security principles with development teams to make sure that security is most properly incorporated into software development to mitigate the risk of any security problems. Whenever a potential problem does make it into a product, our incident response team coordinates with other folks in the security community and begins working with our engineering teams on triaging the issue and getting a patch out the door.

Q: Can you tell us a little about Adobe’s software development programs?
We have thousands of software developers located around the world. And, at any time, we have hundreds of projects under development. Both Adobe Flash Player and Adobe Reader have some of the widest reach of any software product. For example, Flash Player is on close to 99 percent of all Internet connected devices. So we have a massive install base for our software.

The code that we write gets deployed on pretty much every platform—whether it’s Windows, Mac, Linux or others. We’ve built desktop products, mobile products, server products and services.  To meet these diverse requirements, we use a combination of agile processes and formal methods.  We also build platforms that other people write code for, which means that we’re thinking not only about how to make our own software secure, but also how to help other developers make their software secure.

Thus, the secure development processes that we use have to be effective across a wide range of environments, methods and product types.

Q: Why did Adobe join SAFECode?
We take software security very seriously and are always looking to build upon what we’ve been able to accomplish so far.  We have a mature software security process and have developed a lot of experience in this area that we feel we can share in an effort to help the industry advance software assurance practices. We’re also looking forward to learning from the other SAFECode members and sharing some lessons that we’ve learned with them. In addition, there are some specific industry-wide initiatives that we’re looking to help drive through SAFECode, such as effective patch management across platforms.

Q: Are there any challenges in software assurance that Adobe is looking forward to working on with SAFECode?
A big challenge is how fast the threat landscape changes. An example is that 10-15 years ago, buffer overflow attacks were largely theoretical. Now they are common, and we’re seeing some pretty exotic kinds of attacks. The flip side is that companies are shipping code that, in some cases, might be as old as 10-15 years. We need to go back and improve the security of that code without decreasing the functionality of the programs. How do we efficiently improve code that was developed under different circumstances so that it meets today’s security challenges?  As a company and an industry, we’ve made a lot of progress in this area, but there is still work to do and we feel SAFECode provides a great platform for continuing these efforts and addressing these kinds of challenges.

Brad Arkin is director of Product Security and Privacy at Adobe Systems Incorporated. He is responsible for the Adobe Secure Software Engineering Team (ASSET) and Product Security Incident Response Team (PSIRT), as well as cross-company coordination and initiatives related to security and privacy. Arkin has worked in software security for more than 12 years. He served as a Technical Director for @Stake’s New York office and as a Senior Manager at Symantec. Earlier, Arkin worked at Cigital, where he co-founded the company’s software security group. Arkin holds a BS in computer science from the College of William and Mary, a MS in computer science from George Washington University, and MBA degrees from Columbia University and London Business School.