Last week we launched our 2017 CISO Investment Blueprint which analyzes survey responses from 100 security decision makers regarding the current state of application security. In addition to the survey results, we’ve chatted with several innovators in the security industry to get their thoughts on appsec today and the future.
Over the next couple of weeks, we’ll be publishing these interviews, filled with insights around the challenges and opportunities present for security decision-makers in 2017. We welcome your feedback and observations as well! Tweet us or shoot us an email to share your thoughts.
Our third interview is with Brad Arkin, Vice President and Chief Security Office, Adobe. Brad will also join us next week on DarkReading to discuss his thoughts in more depth.
Jason Haddix: Thanks for taking the time to share your thoughts on what’s going on in the application security space. First off, how did you get into this space?
Brad Arkin: I read Bruce Schneier’s “Applied Cryptography” when I was a freshman in college and got totally hooked. However, I realized pretty quickly that crypto and other computer security topics are, at their core, really just software security challenges. I founded the Software Security Group at Cigital with Gary McGraw and John Viega around 1998, and I’ve been working to help teams make software more robust against attacks ever since.
JH: Since then, you’ve done quite a bit, including the great work you’ve done in your current role at Adobe. On that note, what are you most proud about in 2016 that you’ve accomplished?
BA: If I look back at 2016, the accomplishment that I’m most proud of is the work we’ve done around the Common Controls Framework. The Common Controls Framework (CCF) is a set of security activities and compliance controls that are implemented within our product operations teams as well as in various parts of our infrastructure and application teams. In creating the CCF, Adobe analyzed the criteria for the most common security certifications for cloud-based businesses and rationalized the more than 1,000 requirements down to Adobe-specific controls that map to approximately a dozen industry standards. Putting these controls and requirements in place was a huge, multi-year, company-wide undertaking. The current phase of work culminated at the end of November 2016, when Adobe got SOC 2 –Type 2 and ISO-27001 certification across all of our enterprise clouds.
JH: That is a huge accomplishment. In that process, what have the biggest challenges over the past year been?
BA: Well for Adobe, one of the biggest challenges has been to consolidate onto one underlying cloud infrastructure platform. We have disparate engineering and operations teams that are running at top speed to develop new product features, and each team likes to do things in their own way. We’ve been tasked with examining what’s working and what’s not, and applying what’s working across the board for better efficiencies. So, there is a lot of coordination and collaboration on tools and processes going on right now, which has the added benefit of allowing us to automate more security processes and to reduce the cost to product teams, for security and compliance work going forward. We will continue this work in 2017.
JH: What do you think can be improved in appsec in the near future?
BA: Oh, I think a lot can be improved. I personally am interested in the opportunities associated with containerization and would like to see more security enhancements built into using containers. I’d also like to see less reliance on the use of lengthy security questionnaires during the sales process and more reliance on certifications and third-party evaluations that measure security practices objectively, to help ensure that vendors and suppliers are doing the right things when it comes to security.
JH: How do you see bug bounties fitting into appsec in the past? Do you think that will change in the future?
BA: Well, I believe bug bounties — or as we call them “crowd-controlled pen tests” — are here to stay. We’ve found that they are most effective for products that have gone through several traditional penetration tests and where the ROI from those tests is starting to trend. Conversely, if traditional security consultants are still finding numerous bugs and architectural issues, we advise teams to spend their effort addressing the known issues and strengthening the product’s architecture. We’ve found that crowd controlled pen tests aren’t a replacement for traditional security consultants, but if they’re done right, they can provide insights into the platform that can then be used to focus the efforts of security consultants more effectively. Peleus Uhley on my team wrote an interesting blog post about crowdsourced penetration tests and how to manage them effectively for better results.
JH: Looking to the future. What are your 2017 goals?
BA: We will continue work around certifications for 2017. We’ll also look at data sovereignty/data residency for the company and how Adobe will meet the challenges we’re seeing there, especially in the EU. My team will continue work on platform security and operations collaboration and automation. Other than that, I will try to ensure we “keep the trains running,” i.e., continue to do all the great security work we’ve been doing and keeping the security culture and product security momentum going. I’m looking forward to the rest of 2017.
To learn more about top appsec challenges and opportunities for the upcoming year, download our recently downloaded asset, “2017 CISO Investment Blueprint.”
We welcome your feedback and encourage you to join the conversation, which will continue next week on DarkReading.