Black Hat: Adobe security chief preaches virtues of education

 

Las Vegas: Adobe chief security officer Brad Arkin is preaching a unique brand of education which he says has helped to make his company's products more secure and given employees valuable professional skills.

Arkin, who joined the company in 2008, has overseen a transition ad Adobe which saw the company move from offering its products and boxed discs and digital downloads to hosted cloud services.

“It has been a big thing for us, when you are putting software in a box, it is really just the code and you don't have any control over the environment theey are putting that code on top of,” he told V3.

“When we are writing code for our servers, we control in theory every aspect of it.”

With the transition from shipping products to hosting them on servers, the company has had to focus on new areas such as managing and securing servers, protecting infrastructure and preventing attacks on company systems.

To help guard the cloud infrastructure and improve the security of Adobe products, Arkin insituted a unique system based on a martial arts structure of 'belt' ranks. By reading security materials and inline seminar material developed by security staff, employees earn a “white belt” ranking, a basic competency which can be obtained over a few days.

Further on, employees can spend more time studying materials and training over the course of several weeks to get a “green belt” certification, then a “brown belt” program designed to run six months and a top “black belt” certification obtainable over the course of a year or more.

The structure then plays a vital part in how development teams are assembled. Arkin and his team mandate that each project has a certain amount of team members with green and white certifications as well as brown belt and black belt developers overseeing security.

In addition to making products more secure, Arkin says Adobe employees are teaching themselves valuable professional skills.

“We went from getting not just the security geeks to do the training, but also the career-oriented people,” he explained.

“You go from a less-sexy project to one that is more exciting.”

The formula has proven so successful that Adobe has exported its security programme to other firms. The company has joined the Safecoat project, which is now offering Adobe's training materials to other firms for free.

Arkin hopes that the model will help other firms to implement best practices and improve the security of their products, particularly those which interact with Adobe's own platforms.

He is also calling on the experience of other firms to help Adobe in its transition from software vendor to cloud provider. Arkin said that as he has encountered various hurdles in the company's efforts to take its products online, Silicon Valley neighbours such as Salesforce.com and Netflix have been valuable sources of information.

“The good news is we are not the first company to encounter these problems,” he said.

“We talk with all these guys and we can cherry pick what works and put that in our environment.”