Adobe Systems has appointed Brad Arkin, the company's senior director of security for products and services, to become its first CSO. With a mature product security program already in place, the top priorities for Adobe's new security chief are to strengthen the security of the company's hosted services and its internal infrastructure.
For the past several years, Arkin has overseen Adobe's software product security efforts as leader of ASSET (Adobe Secure Software Engineering Team) and the Adobe PSIRT (Product Security Incident Response Team). During this time, Adobe Reader and Flash Player, two applications that are frequently targeted by attackers due to their large user base, have received significant security improvements including anti-exploitation mechanisms like sandboxing and silent automatic updates.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
While the secure software engineering work will continue, Arkin's focus is strengthening the security of the company's hosted services, like the Adobe Creative Cloud and the Adobe Marketing Cloud.
"I think that our secure product lifecycle and the work we've been doing with our shrinkwrapped products is very mature," Arkin said. "We've been doing this for years now."
However, the company hasn't been doing hosted services for as long as it's been developing off-the-shelf software, "so we continue to enhance our monitoring and operation security in that area," Arkin said.
"Right now I am most focused on doing the things we can to protect our customers data," he said. "We're doing a lot of great work there already, but there's even more work that we have planned and we'll be doing and it's a never-ending process. This is something that's just part of running hosted services."
There's a security roadmap for hosted services and with every new release of code, which happens every three weeks, there's a new security feature or improvement being added or some code hardening being made in those services, Arkin said.
In addition to enhancing the security of its hosted services, the company also plans to focus on strengthening its IT infrastructure and high-value internal systems against attacks.
The bad guys are really creative in the types of attacks they use against companies connected to the Internet, Arkin said. "We're working with security vendors and others in the defender community to make sure that we're putting the robust defenses in place on our internal infrastructure."
The company has experienced sophisticated targeted attacks in the past, Arkin said. One example is the incident disclosed by Adobe in September 2012, when attackers managed to compromise one of the company's internal code-signing servers and used it to sign malware with an Adobe digital certificate, he said.
This type of attack, which targets the company's infrastructure and not the code it produces or its users, represents a potential risk that needs to be managed and addressed, Arkin said. "Defending our internal operations, as well as our external hosted services and the code that we're writing, are all in the scope of the responsibilities for what I'm working on."