By Shannon Lietz, vice president of product and software security at Adobe
Creating safer digital experiences is more important than ever: Bad actors continue to become increasingly sophisticated, and the stakes to protect data and assets have never been higher. To help combat threats posed by these adversaries, the most common approaches typically involve conducting more frequent or more extensive testing. However, such efforts rarely focus on what really matters to improve product security.
Understanding adversary types and the parts of software they are most likely to take advantage of can be far more valuable than traditional static, list-based software testing processes. To date, testing efforts have focused on checklists of issues of which adversaries could hypothetically take advantage. The smarter approach to product testing should be laser-focused on what adversaries are demonstrably interested in exploiting. With this approach, companies can significantly improve their overall security posture in a measurable way.
At Adobe, we have evolved our product security testing processes to focus on vulnerabilities in which adversaries show interest and have successfully exploited in the real world, with the goal of making our software more resilient and, ultimately, our customers’ data and digital experiences safer.
Introducing Adobe Securability Reports
The first results of this shift in focus, Adobe Securability Reports, are now available on the Adobe Trust Center. These reports give customers a consolidated, measured, and transparent view into the security of our products and services from an adversary-aware perspective. Presenting the combined results of our internal security testing, third-party penetration testing, bug bounties, automated code scans, and external security intelligence, the reports provide a view into how we measure the security of our solutions, underscoring our ongoing commitment to trust.
Each report includes the testing scope, findings, and actions taken to remediate each discovered item, focusing on the findings that help us enhance the overall security posture of the product or service. The testing follows the Adobe Open Test Plan Process (OTPP), which gives clearer guidance to our product and engineering teams and helps them prioritize the most pressing issues to remediate.
More Effective Product Security Requires a New Standard: Securability
With the introduction of Adobe Securability Reports, Adobe seeks to raise the bar in the industry by focusing on a more objective measurement of the security posture of products called “securability.” Intended to reflect the predicted resilience of a product in the face of adversary attacks, a securability measurement will help Adobe, and the industry, move toward a more standardized way of assessing product security based on calculable, objective risk. The ultimate goal of measuring securability is to understand and tune product security like all other functional requirements.
The advanced testing methodology described in the Adobe Securability Reports is a significant step in our journey toward deeper implementation of and measurement against of actual risk across our product development lifecycle.
If you have feedback or suggestions on the reports, please share via this brief survey.
Adobe Securability Reports are available to customers on the Adobe Trust Center using their Adobe ID. Please note: The reports require acceptance of a non-disclosure agreement (NDA) prior to downloading.
- Using Machine Learning to Help Detect Sensitive Information - April 11, 2023
- Safer Digital Experiences Start with Smarter Testing - February 21, 2023
- Standing Up a Security Program Management Office - February 2, 2023