Adobe has named Brad Arkin to the newly created position of CSO, a major expansion of responsibilities for Arkin, who has been leading the company’s product security and privacy initiatives.
Adobe has been in the security spotlight for several years now, as attackers have focused their attention on the company’s portfolio of products that enjoy user counts in the billions. Flash and Reader have been frequent targets for attackers who are always on the lookout for vulnerabilities in widely deployed applications, which give them the best chance of compromising a high number of users. Exploits for Adobe products often pop up in the commercial exploit kits such as Cool, Blackhole and others and Flash and Reader zero days are highly prized in the hacking underground.
As the threats to Adobe’s products have escalated, so too have the company’s efforts to combat them. Arkin joined the company in 2008, just as Adobe was emerging as a key target. Before that, attacker mainly had focused on Microsoft, Oracle and browsers, but the ubiquity of Adobe’s products drew their attention. Arkin began addressing the problem from the bottom up, implementing a software security program designed to help developers write more secure code and eliminate vulnerabilities before products ship. The company joined the BSIMM program to help measure the effectiveness of the security development lifecycle and also began implementing countermeasures in its products to help prevent exploitation of vulnerabilities.
One of the key changes Arkin’s team made was the implementation of a sandbox for both Flash and Reader. The sandbox helps prevent an attacker from using a bug in a protected application to break out and gain control of the underlying operating system. With Flash running on more than a billion machines, that protection gives users of modern versions good protection.
In his new role, Arkin will continue to run the company’s ASSET security research team and the PSIRT product response team, but also will have responsibility for Adobe’s worldwide infrastructure security.
“In my new role, I have the opportunity to lead Engineering Infrastructure Security, a team that builds and maintains security-critical internal services relied on by our product and engineering teams, such as code signing and build environments. I will also continue to manage and foster two-way communication with the broader security community, a vital part of the central security function,” Arkin wrote in a blog post.
“The driving goal behind our security work is to protect our customers from those who would seek to harm them. Adobe has some of the most widely-deployed software in the world and we are keenly aware that this makes us a target.”