CANCUN, Mexico -- Adobe security chief Brad Arkin has a message for the benevolent security research community: Your work is driving down the cost and complexities of attacks against computer networks.
During a keynote presentation at the Kaspersky security analyst summit (see disclosure), Arkin said the intellectual pursuit of exploiting software vulnerabilities and defeating mitigations is simply providing a roadmap for the bad guys to break into computer systems.
"My goal isn't to find and fix every security bug," Arkin argued. "I'd like to drive up the cost of writing exploits. But when researchers go public with techniques and tools to defeat mitigations, they lower that cost."
At Adobe, Arkin's security teams have been working overtime to stem the flow of zero-day attacks against two of its most widely deployed products -- Adobe Reader and Adobe Flash Player -- and he made the point that too much attention is being paid these days to responding to vulnerability reports instead of focusing on blocking live exploits.
"We may fix one vulnerability that has a security characteristic but when we change that code, we are creating a path to other vulnerabilities that may cause bigger problems in the future," he said.
Arkin suggested that Adobe -- and other big software vendors -- cut its losses and take a different approach. Instead of the running on a treadmill to patch every vulnerability report, security teams should invest heavily on mitigations and anti-exploit technologies and work closer with the research community to curb the publication of information that can help malicious hackers.
"We have patched hundreds of CVEs [individual vulnerabilities] over the last year. But, very, very few exploits have been written against those vulnerabilities. Over the past 24 months, we've seen about two dozen actual exploits," Arkin said, making the argument that software vendors are not wisely using their security response resources.
Arkin argued that it's impossible for software vendors to produce code without security defects. "You can improve the code but you're never going to get it perfect. At Adobe, we have invested a lot to build mitigations and drive up the cost and complexity [of exploiting software bugs]. But now we have offensive research teams -- the good guys -- who are driving down that cost when they research a new technique to hack into software, write a paper and publish it to the world."
"Something hard becomes very very easy. These exploits and techniques are copied, adapted and modified very cheaply."
"I'm not saying we should outlaw offensive research. However, it's clear that these [intellectual] offensive advances very much change the game. Once something gets published, it's only a matter of time before real-world bad guys put them into their operations."
* Image via Nikita Svetsov.