Description: In a software company, the roles of a software developer and a vulnerability researcher might seem to have little symbiosis. At Adobe, we have found that building working relationships between the two is to the benefit of the players, of software security, and helps us serve our customers and partners better. In this talk, we’ll discuss incident response (IR) at Adobe and our involvement in vulnerability sharing with partners through the Microsoft Active Protections Program (MAPP). We’ll show how a mature IR process developed into a workflow for collaboration between developers and vulnerability researchers on addressing vulnerabilities covered in MAPP. We’ll present some insights on security bug fixing in a complex product area (3D graphics). We’ll demonstrate how the collaborative relationships catalyzed Adobe’s response to two zero-days in December 2011, CVE-2011-2462 and CVE-2011-4369, resulting in accelerated patch development. We’ll review what the collaborators learned from responding to these zero-days and conclude by offering best practices for other security-development team collaborations.
Dr David Rees is a Group Lead in the Adobe Acrobat team, specializing in 3D and GIS topics while managing relationships with industry partners. Prior to that, David was CTO at Altor Systems, developing and licensing high performance 3D engine and gaming technology, and a Lead at Electronic Arts advanced technology labs. He holds a PhD in Computer Science from University College London, and a BSc in Computer Science from Exeter University. He has spoken and published in the subject areas of Archaeology, Astronomy, Computer Graphics, Geomatics, HCI, and Image Processing.
Karthik Raman, CISSP, is a security researcher on the Adobe Secure Software Engineering Team (ASSET), where he focuses on vulnerability analysis and technical collaboration with industry partners. Before joining Adobe, Karthik was a research scientist at McAfee Labs, where he worked on threat analysis, building automation systems, malware analysis, and developing advanced antimalware technology. Karthik holds a Master of Science degree in Computer Science from UC Irvine and Bachelor of Science degrees in Computer Science and Computer Security from Norwich University. Karthik has spoken at Infosec Southwest, SOURCE Boston, LayerOne, and delivered a Black Hat Web cast.
Latest from the SecurityTube Blog:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Original Source: http://www.youtube.com/watch?v=-yCHjvZ-WQs