Adobe Taps Senior Director For Newly Created CSO Role


Adobe Systems has named Brad Arkin, who oversaw a major overhaul of the product and engineering activities at the company, to the newly created chief security officer position.

Arkin set out to build out a software security program aimed at developing security defenses to thwart attacks targeting flaws in the company's Reader and Acrobat products and push out patches in a more timely and automated fashion to the millions of users of the company's ubiquitous Flash and .PDF software. In a blog post Thursday, Arkin, who has spent almost 5 years at the company, said he would continue to oversee the Adobe Security Software Engineering Team (ASSET).

"The driving goal behind our security work is to protect our customers from those who would seek to harm them," Arkin wrote. "Adobe has some of the most widely-deployed software in the world and we are keenly aware that this makes us a target."

[Related: Top 10 Malware Threats To Microsoft PCs]

Arkin will report to Bryan Lamkin, senior vice president of technology and corporate development. Under the ASSET team, Arkin will guide the company's secure product lifecycle, the foundation of which was created using the Microsoft Security Development Lifecyle. Microsoft provides its SDL as a guide for other firms to inject security into its development processes.

Adobe had suffered from years of millions of lines of outdated, legacy code, which had been acquired and changed hands a number of times. The firm set out to establish the mechanism to address serious vulnerabilities quickly while addressing underlying issues preventing more robust security defenses in its software used frequently by both enterprise and consumers.

Arkin will continue overseeing the Product Security Incident Response Team (PSIRT), responsible for managing response to product security incidents.

"In my new role, I have the opportunity to lead Engineering Infrastructure Security, a team that builds and maintains security-critical internal services relied on by our product and engineering teams, such as code signing and build environments," Arkin wrote. "I will also continue to manage and foster two-way communication with the broader security community, a vital part of the central security function."

The company's engineering team is also responsible for rolling out sandbox environments around its products that make it more difficult for attackers to successfully infect a user system. The company issued support last year of the sandbox security mechanism for Flash in Firefox. It is also available for Google Chrome. "Protected Mode" for Adobe Reader and Acrobat was rolled out in 2010.

Adobe Reader X, which has the sandbox security component, was created in response to attacks targeting zero-day flaws in the software. Adobe Reader X also has a protected view feature, introduced in 2011, which adds another layer of security when a user opens an untrusted file.

Arkin has pointed out that no security mechanism is a silver bullet, and like most software companies, the firm continues to deal with exploits that bypass security restrictions.

"We remain committed to doing everything we can to defend against the bad guys. I am excited to continue leading the charge at Adobe," Arkin wrote.

PUBLISHED APRIL 25, 2013