Adobe Vulnerability Part 2 - Security Posturing

Curtis Blount

By now all of you are aware of the Adobe Zero-day vulnerability affecting both Adobe Flash and Reader. While patches have been released correcting this vulnerability, the question remains how do consumers (and by that I mean SMB, general consumers and Enterprises) protect themselves in the future. While we continue to state the obvious (and sometimes archaic) patches and malware protection, the reality is much more than that.

There continues to be an explosion of web applications in this rapidly expanding social web presence. The rush to deliver a product to market is more often over shadowed by good programming with a security focus.

Can the existing security technologies keep up with this explosion? Adobe is not the only vendor to deal with vulnerabilities, and they won’t be the last. Even some of the more prestigious security companies like RSA have been victims of “sophisticated malware attacks” that impact millions of computers globally.

Unfortunately, the future is rather bleak. At some point, there will be a zero-day attack that impacts millions of computers with losses catastrophic. The general consensus is to be reactionary rather than pro active. Security professionals always speak of Defense in Depth, create security policies that protection confidential data, etc.  However, there is no general consensus that states “we collectivity as the security professionals demand that software vendors push a security focus and proper levels of security QA testing”.

Even ANX as a SaaS Service provider must include security as part of its overall plan for GRC services.

Now, no software is going to be fool-proof. However, software vendors (including those in the web mobile software arena) need to take the same mentality as we do in the Information Security world. That is to minimize the risk. Risk Management must be part of the business process and at the same level as software features. This is just good business sense. When developing software programs, a security focus needs to be at the forefront. Further security testing must be included in the SDLC process.

With the explosion of Web Mobile Applications from the script kiddies to large software houses, we need to have more communication and dialog between security professionals and software vendors. Our future depends on this open communication and cooperation as the Internet will continue to become entrenched in our everyday lives.

Unfortunately this probably will not happen until the smoking gun is fired and regulatory statues are put in place.