"The thing about free advice is that you often get what you pay for." -Unknown
I've been mulling over Adobe for the last couple days, and intermittently for the last few years. Here we have a company that has, by all accounts, been highly successful, and yet seemingly has an absolutely terrible reputation in the security community (and now in the tech community with the Apple dispute over Flash). It makes me wonder "what are these leaders thinking?" each time I hear reports about another issue, and see very little in the way of satisfactory responses from the company.
From this perspective of outside-looking-in pondering, I thought I'd (perhaps arrogantly) postulate 5 steps that I think Adobe could take to help right the ship a bit, and maybe, just maybe, improve their perception in the industry. Can the phoenix rise from the ashes? Sure... but only with some major cultural changes...
Software Overhaul
There are several points that are valuable under this heading. First and foremost, while Adobe's product strategy seems to be consistently web/dev-oriented, there is still a lot of room for improvement. Chief among those improvements is to put many key products on a significant diet. Acrobat Reader is how many megs these days? 25? 40? 75? It's kind of ridiculous. I'm pretty sure Preview doesn't have all that garbage and, more importantly, it doesn't take a minute or two to launch.
Similarly, Adobe is living in this gray area with their platforms like AIR and Flash (among others). AIR seems to run somewhat slow and inconsistent (or maybe it's just the apps that run on it, though I don't think you can separate the two). Flash isn't necessarily slow so much as it's scary (AIR is, too, fwiw). Have ever looked in-depth at the full capabilities that Flash has? It's essentially a portable VM platform. That would be a cool idea if it wasn't for all the nasty security and privacy issues inherent in it.
My suggestions are myriad, but I think it starts with release Flash to open-source (maybe extend support for 12-18 months, but no more). AIR should also go through a major code review and re-engineering process to make sure that all the bad practices embodied in Flash haven't been inherited. There's been a lot of focus on Flash of late, but I'd be shocked if AIR wasn't equally susceptible to badness. Oh, and btw, what's your Flash strategy with HTML5 anyway? It seems that a large use case (video) is about to go out the window, and with it the need to keep your runtime environment installed. Just sayin'...
I think it's also a good time to sit back and take stock. What's central to Adobe's strategy? For each product that fits in that strategy, what's core to the functionality vs. an add-on or value-add feature? I shouldn't have to download a 50MB install bundle in order to view PDF files. While the plugin support is great, it seems like every known plugin is also being bundled. I don't know that I've ever used a plugin (certainly not overtly) in Acrobat Reader. Why do I have them all downloaded and installed, then? What about providing them on-demand instead of by default? One of many lines of questioning that needs to be done.
The simple fact of the matter is that most Adobe software these days simply feels too heavy. Heavy software means lots of extra lines of code, which translates to a much larger attack surface. Reduce your footprint, Adobe, and you can proactive reduce security threats to your products.
Fix Your Patches and Patch Process
Downloading and reinstalling an entire application is not a "patch" - it's an upgrade or reinstall. This is not just a matter of semantics. Why does every Reader patch require tens of megs of data being downloaded? Is this because Reader is designed/coded in an inadequate manner? Does it really look the object model that would better enable small, tight patches?
Second, what is up with this Adobe downloader? Is this your solution to your bloatware? Rather than fixing your products, you figured you could just mask the process, mayhaps? Allow me to suggest that this is not a solution, and barely a workable kludge. I don't need another downloader on my system. I need small, well-written patches that install quickly with little-to-no footprint.
Lastly, quit embedding all sorts of extra junk by default. I'm sure you think of this as "free money" in that you're (hopefully) getting revenue from install things like the Yahoo address bar whatchmacallit, but I don't want that garbage. More importantly, it's making your bloated downloads even bigger. How is that providing value? It's not, and my solution is simply not to use your software. Is that a win for you?
Admit You Lack Security Clue
Newsflash: Your security team/program has a lousy reputation and almost no street cred (who IS your team, anyway?). All I could find about an Adobe security team was the PSIRT blog (http://blogs.adobe.com/psirt/). PSIRT != security program. Surely you must have a lot more people than that doing security, but it's certainly not evident.
The simple fact is that, from this outside perspective, you are suffering from an entrenched traditionalist mindset. The security world is passing you by, and it is costing you (whether you realize it or not). What are you doing to promote secure coding practices? Do you have a development lifecycle that incorporate security at every level? Is there accountability? Who's in charge of security?
It would be advisable to take a tip from Microsoft. Go check out their SDL and read up on their mass retooling around security. It's taken them close to a decade to get to a better place. They still suffer from lots of legacy software security issues. You need to become more agile, more secure, and more accountable. It's time to revamp your corporate culture to instill secure coding and infosec as core values. Redefine yourself and your practices and then make it a priority to start fixing things ASAP.
You need to get outside help as part of such an effort. Relying too much on an insider's view will blind you to reality and prevent you from realizing (seeing) what needs to be done. Engage an organization that specializes in security, and in particular one that specializes in appsec. It's imperative that this be done asap and as a top-level priority.
You're Not Microsoft (or Apple)
Here's what I think is true:
* You're a big software company.
* You're a household name.
* Flash and Reader have dominated the market for the better part of a decade.
Here's what I also think is true:
* You don't get to play the bully role.
* You're not the cool kid.
* Your products are not secure (in fact, it's scary how insecure they are given the built-in features).
* People can generally live without your products.
The good news is that, unlike Microsoft, you probably can achieve "good enough" security. With a concerted effort, a new culture that takes security seriously, and with a major investment in fixing things today, you can do what Microsoft and Apple will likely never be able to do. Produce software that remains central to users' lives while being very secure and not continuing to suffer the embarrassing vulnerabilities surrounding Flash, et al, of late.
Let the Sun Shine In
Transparency and improved communication (and cooperation) with the security community would be a great change to make. In particular, consider:
* you're often perceived as very closed and secretive
* you're often perceived as unresponsive or ignorant of your own major security challenges
You need to address these perceptions, and quickly. Remember: sunshine is the ultimate disinfectant!
Toward this end, a few changes are suggested:
* PSIRT cannot be your only public face for security.
* Start talking (publicly) to people about what you're doing, what you're learning, etc.
* Turn the lawyers down a notch or ten (what's up with the disclaimer on every PSIRT blog post?).
* Get outside help. Make a big show of it. Reform, reform, reform. Security is a good thing.
---
What do you think? If you could give Adobe free advice, what would it be?
Comments (3)
Ben Tomhave for Adobe CSO!
If you can't beat 'em, join 'em!
Posted by Ron W | June 8, 2010 8:43 AM
Posted on June 8, 2010 08:43
Good posting, good tips, doubt they'll listen. boo.
However, you caused me to visit PSIRT for the first time, so I must say... Holy crap, the PSIRT blog is the lamest corporate blog I've ever seen (for corporation of more than 100). So, not only do they totally not understand security, they apparently don't understand the difference between "blog", "patch release notification", and what the name of their team is supposed to be - Security Incident Response. OK, I get that they don't want to share incident details, but come on here people. That's not a blog!
Posted by Dan Houser | August 12, 2010 12:42 AM
Posted on August 12, 2010 00:42
In fairness, they do have a couple other sites, but yes, it's really rather sad. A few other examples I could find:
Security Bulletins
http://www.adobe.com/support/security/
Dev Connection Security Topic Center
http://www.adobe.com/devnet/security/
Security & Privacy (summary / marketing type site)
http://www.adobe.com/security/
Posted by Ben | August 12, 2010 9:05 AM
Posted on August 12, 2010 09:05