Maiffret: I think the first articles saying Adobe is a bigger threat than Microsoft was something we only started seeing six months ago. The code security isn't there. The IT controls aren't there. The bad guys are in full swing taking advantage of these kinds of weaknesses, and the security vendors are playing catch-up.
Q: Adobe does have a visible security division. Do you think they are doing the best they can and that this is really about a changing landscape everyone's struggling with?
Maiffret: It's funny, but you can almost see a pattern among companies when the security spotlight is first thrust upon them. They suddenly find themselves in the crosshairs and the first thing they do is deny, passing it off as a marketing problem. Luckily, in the case of Apple and Adobe, they seem to have moved past that stage, and they've been staffing up on the security side. But Adobe is still in their infancy in terms of having a solid security process in place. But it took many black eyes and many years for Microsoft to get it.
Q: Many of the security admins I talk to regularly complain more about Adobe having a messy patch process than about the flaws themselves.
Maiffret: Oh, yeah. It's the perfect example of third-party applications that are a weird hybrid of things meant for consumers and businesses. There's a vast difference in how my mom will handle security on her computer and what an IT person might do. Their patching right now is really consumer-centric and it's only just starting to focus more on the tools IT needs to get the jobs done.
Q: Let's get back to Apple. Many people see that company as more secure than someone like Microsoft. What's your view?
Maiffret: Most people in the Apple world have a false sense of security and an elitism. I took some heat recently for saying Apple was way behind Microsoft on security. Look who they just hired for security -- Window Snyder, who played a lead role in helping Microsoft turn around their security. That shows the company starting to move past the denial part. It'll be interesting to see where they go from here.
Read more about application security in CSOonline's Application Security section.