Adobe getting security religion
If you're like me, you've probably noticed that you've had to update your copies of Abode \w+ very frequently over the past year. I know that whenever I get a popup saying "A newer version with security updates is available. Would you like to install now?" I say "Man, again? "
Adobe has just released an announcement in a series of articles. Some key takeways:
Code Hardening - The Secure Product Lifecycle (SPLC) activities have been successful in mitigating threats in new code development, but did not fully address problems in the existing code base. Therefore, an initiative in the current security effort has been focused on hardening at-risk areas of the legacy code. (Experience shows such validation is a powerful tool in preventing as-yet unidentified security holes.)
Regular Security Updates – Starting this summer with the initial output of our security code hardening effort, we [Adobe] plan to release security updates for all major supported versions and platforms of Adobe Reader and Acrobat on a quarterly basis. Based on feedback from our customers, who have processes and resources geared toward Microsoft’s “Patch Tuesday” security updates, we will make Adobe’s quarterly patches available on the same days.
Several years ago, Microsoft launched its Trustworthy Computing initiative in order to make its software more secure. It has taken a while to get grounded but many of the processes now in place, including the Software Development Lifecycle (SDLC) and regular updates, Patch Tuesday, are starting to coalesce into something resembling more secure software. It's nice to see that other companies are starting to do the same.