Closing Adobe's security chasm

Adobe hasn't had a good time in recent months. Apart from Apple effectively banning Flash from the iPhone and iPad, Adobe's Acrobat and Reader products have been found to suffer serious security flaws. Some information security experts have even suggested that flaws in Adobe's products are now one of the most serious online risks.

What went wrong? What's Adobe doing about it? And what lessons are there for other software developers?

Back in 2001, Microsoft was embarrassed when the Code Red worm infected hundreds of thousands of web servers running its Internet Information Server (IIS), and when Nimda became the world's most widespread computer infection at that time in just 22 minutes. Microsoft's response was Bill Gates' famous Trustworthy Computing memo and a new software development process called the Secure Development Lifecycle (SDL). The result? Windows Vista, Windows 7, Windows Server 2008 and Office 2010 have far fewer security flaws, and problems have been fixed more quickly.

Microsoft has shared its lessons with partners like Adobe, and has even condensed the SDL down to a 17-page guide that any developer can use, whatever the platform — the Simplified Implementation of the Microsoft SDL.

In Patch Monday this week, Stilgherrian speaks with Brad Arkin, Adobe's director of Product Security and Privacy. He explains how Adobe has improved its own Secure Product Lifecycle (SPLC), and how it plans to move forward with security in Adobe's troubled product line.

Plus we have Stilgherrian's usual idiosyncratic look at the week's IT news headlines.

To leave an audio comment for Patch Monday, Skype to stilgherrian, or phone Sydney 02 8011 3733.

Running time: 23 minutes, 16 seconds

Stilgherrian spoke with Brad Arkin at Microsoft's Trustworthy Computing Tour. He travelled to Redmond, Washington, as a guest of Microsoft.