Hey everyone, Jeremy Dallman here. Today I will be co-blogging with David Lenoe (Group Program Manager, Adobe Secure Software Engineering Team (ASSET)). Now, here’s the story behind the Microsoft and Adobe security pairing …
A couple of years ago, Microsoft and Adobe made a decision to work together on security rather than address our similar security goals within the vacuum of each company. Our security teams have since been working closely together with the clear goal of protecting our mutual customers. This collaborative relationship enables faster implementations of security protection through the lifecycle processes both companies offer (Microsoft’s Security Development Lifecycle – SDL, Adobe’s Secure Product LifeCycle – SPLC), and allows us to share best practices learned over the years. In turn, each company learns about new ways to apply their respective lifecycle plan, thereby helping to provide our customers with a more secure computing environment.
Through the last couple of years we have had conversations about defining and implementing security requirements, prioritizing security risk, threat modeling, the benefits of compiler/linker flag protections, fuzzing, and penetration testing. We’ve even shared data on security incidents and response.
Implement proactive engineering protections
With support from the security folks at Microsoft, ASSET helped the Adobe product teams set the security-related C++ compiler and linker flags such as /NXCOMPAT, /DYNAMICBASE (ASLR), /GS, and /SAFESEH. Working together, we were able to address compatibility issues and get these protections in place for both Adobe Flash Player and Adobe Reader. These protections have helped to mitigate entire classes of vulnerabilities in Microsoft products and will improve the security of Adobe products as well.
Encourage consistent security updating
Most recently, we worked together to publish some 2008 attack data on vulnerabilities affecting Microsoft and Adobe products in the Microsoft Security Intelligence Report. Our goal was to emphasize to our mutual customers that installing security updates for Microsoft, Adobe and other third-party applications is very important. Having customers update promptly when Microsoft or Adobe addresses vulnerabilities is the best way to avoid the rapid spread of attacks.
Adopt security tools
After the Microsoft Security Sciences team released !exploitable in March, some of Adobe’s security testing teams started using it on their own products along with WinDbg to analyze the results of fuzz testing. Microsoft and Adobe continue to work together to address questions and help improve the effectiveness of this tool.
Some of Adobe’s development teams also use static analysis tools like /analyze and FxCop to identify potential security vulnerabilities in source code.
Share response information
By collaborating amongst the teams at Microsoft and Adobe, the Microsoft Security Response Center (MSRC), Microsoft Vulnerability Research (MSVR) program, the Microsoft Security Research and Defense team, the Adobe Product Security Incident Response Team (PSIRT) and Adobe Secure Software Engineering Team (ASSET), respectively, we have also been able to identify security trends and more rapidly address vulnerabilities.
Continue working together
We consider the collaboration between Microsoft and Adobe to be a great success for both companies. We look forward to continuing to work together and discovering new and better ways that we can protect both Microsoft and Adobe customers in the future.