Author: Astrid Bailey, PMP, Sr. Security Program Manager — With hundreds of product and service teams at Adobe, it’s simply not feasible to embed a security engineer or even a security-focused program manager in each team. So how do we help ensure our products are built securely, follow security best practices, and stay on top of industry-wide security vulnerabilities…

Authors: Mark Thomas, Sr. Cyber Security Analyst — Threat Hunter, and Sandeep Bachhas, Sr. Cyber Threat Hunter — When many companies think about network security, they usually think in terms of firewalls, anti-virus software, intrusion detection systems, and multi-factor authentication (MFA). Once these preventative measures are in place, companies often centralize their monitoring and response processes by standing up a security operations center (SOC) that respond to alerts…

Author: Alex Stan, Product Security Engineer — You may already be familiar with the Common Vulnerabilities and Exposures (CVE) program maintained and operated by the Homeland Security Systems Engineering and Development Institute, or HSSEDI, a federally funded research and development center managed by MITRE. The program, launched in 1999, is the definitive reference source for publicly known…

Author: Ningjing Gao, Sr. Group Program Manager — Vulnerability management is an important component of risk mitigation at Adobe. While vulnerability management as a practice includes a variety of security mechanisms, such as bug bounties, penetration testing, and security reviews (all of which are under the Adobe Security umbrella), a vulnerability management program is typically focused on identifying…

Author: Todd Baumeister, Senior Security Researcher, and Rohan Kapoor, Product Manager A few weeks ago, we introduced you to Ethos, an internally developed cloud-native and cloud-agnostic platform that streamlines the development, operation, and consumption of cloud services inside Adobe. You may recall that Ethos offers developers the capability to deploy…

Author: Nag Medida, Security Tools Architect — The central security team in a product development organization plays a vital role in implementing a secure product lifecycle process. At Adobe, this is the team that drives the security vision for the entire company and works with individual product and service teams on their proactive security needs. While we…

Author: Rohan Kapoor, Product Manager — Imagine a scenario in a software company, where hundreds of development teams have sprawled to the cloud with their own infrastructure designs, processes, and Continuous Integration/Continuous Deployment (CI/CD) pipelines. Some of the challenges they face might include: Manual one-off provisioning of tools Hard to apply rigor to standards around security…

Authors: Andrei Cotaie, Tiberiu Boros, Kumar Vikramjeet, and Vivek Malik, Adobe Security Intelligence Team — In security, “Living off the Land” (LotL or LOTL)-type attacks are not new. Bad actors have been using legitimate software and functions to target systems and carry out malicious attacks for many years. And although it’s not novel, LotL is still one of the preferred approaches even for highly skilled…

Author: Akriti Srivastava, Security Analyst, Adobe OpSec Team — With any cloud platform, a lack of understanding of required security controls and unintentional misconfigurations can bring additional risk to the DevSecOps process. A test environment, where engineers can safely learn new attack methodologies, is the preferred approach, but what do you do if such a testbed isn’t readily available…