Last week, Brad Arkin from Adobe urged security researchers to consider focusing on defensive strategies for stopping attacks, rather than just on finding new offensive attacks.
It does not make any sense to me.
It’s not an either or. Adobe should be adding additional layers of security to their products as an offensive strategy. On the defensive side, they should minimize their product vulnerabilities.
Perhaps Adobe is feeling the pressure of criminals who keep finding problems with their products and Arkin is lashing out. We understand how he feels.At CoreLabs, there would be serious repercussions if our team of exploit writers were to stop developing the means for our customers to be preemptive in their approach to security intelligence by essentially taking back control. Not only that, but the obtuse claim by Adobe that criminals would stop trying to break in if researchers were to stop developing exploits makes me wonder what is really behind the message.
In reality, sophisticated attackers have already found the vulnerabilities. CoreLabs finds them too and reports them responsibly to vendors so they can fix the problems. I believe it is our responsibility as software developers to provide inherently secure products, and in the cases where they are not, fix them effectively and move on.
The opposite of responsible disclosure is when a vulnerability is found and reported before the vendor has had a chance to release a defensible patch for the issue. In these cases, sophisticated hackers will always have an unfair advantage and can issue attacks against the vulnerability before the vendor has created and issued a patch. This is why CoreLabs follows a strict responsible disclosure process* to help vendors identify a significant issue and protect both themselves and their customers from possible harm. We consider it to be social responsibility. Sure, CORE develops and sells security software with thousands of available exploits so our customers can protect themselves. But that’s partly the point here. Everyone should be able to protect themselves from the attacks being waged against them.
There is an interesting parallel to Adobe’s problematic product security issues over the past 1-2 years and those that Microsoft experienced in the 1990’s. Microsoft turned the corner after Bill Gate’s memo about trustworthy computing was revealed with the resulting mandate to embed security into their software development lifecycle.
It was transparent. It wasn’t easy. It was a PR headache. But if you look at Microsoft today, you can see that the shift to developing as-secure-as-possible products, acknowledging vulnerabilities are a reality, and providing the means to help customers minimize the possibility for a security issue through a consistent process – has clearly worked. It certainly did not create a new business opportunity for criminals. They found their own successful business model years ago and are always going to find any possible means to break in.
Moreover, I am impressed by Microsoft’s BlueHat competition that literally offers security researchers the chance to be compensated for creating new defenses. The prize money is certainly an enticement, but Microsoft is not being blackmailed to do this. Instead, they figured out that partnering with white hats to create the most secure products possible is just good business.
My biggest issue with Adobe is asking for free fixes to problems they created. Their engineers get paid to do this too and they should developing defenses, not crowdsourcing them.
*I may be critical of Adobe today, but certainly not always.
- Alex Horan, CORE IMPACT Product Manager