Adobe Securty Tranng Whte Paper Adobe Securty Tranng Table of Contents 1 Adobe Securty 1 The Adobe Securty Organzaton 2 Adobe Secure Product Development 3 ASSET Software Securty Certfcaton Program 5 Securty Awareness Tranng 6 Concluson Adobe Securty At Adobe, we take the securty of your dgtal experence serously. From our rgorous ntegraton of securty nto our nternal software development process and tools to our cross-functonal ncdent response teams, we strve to be proactve and nmble. What s more, our collaboratve work wth partners, researchers, and other ndustry organzatons helps us understand the latest securty best practces as well as contnually buld securty nto the products and servces we offer. Ths whte paper descrbes the Adobe securty tranng and awareness actvtes that help ncrease the securty IQ of Adobe employees and ultmately help mprove the securty of Adobe products and servces. The Adobe Securty Organzaton As part of our commtment to the securty of our products and servces, Adobe coordnates all securty efforts, ncludng securty tranng, under the Chef Securty Offcer (CSO). The offce of the CSO coordnates all product and servce securty ntatves as well as the mplementaton of the Adobe Secure Product Lfecycle (SPLC) process. The CSO also manages the Adobe Secure Software Engneerng Team (ASSET), a dedcated, central team of securty specalsts who serve as consultants to key Adobe development and operatons teams. ASSET researchers work wth ndvdual Adobe product and operatons teams to strve to acheve the rght level of securty for products and servces and advse these teams on securty practces for clear and repeatable processes for development, deployment, operatons, and ncdent response. Chef Securty Offcer Chef Prvacy Offcer Eng. Infr. Securty Prd & Svcs Securty arketng IT Securty Rsk, Audt & Advsory Corporate Securty Cloud Svcs Securty Dg kt InfoSec Creatve Cloud Securty Secure Software Eng PR IT Securty Cloud Ops TechOps Securty Dg eda Secure Eng Securty Coord Center Identty gt Dg kt Secure Eng Adobe Securty Organzaton
Adobe Secure Product Development Adobe s ASSET team employs the Adobe SPLC process for product and servces development. A rgorous set of several hundred specfc securty actvtes spannng software development practces, processes, and tools, the Adobe SPLC s ntegrated nto multple stages of the product lfecycle, from desgn and development to qualty assurance, testng, and deployment. ASSET securty researchers provde specfc SPLC gudance for each key product or servce based on an assessment of potental securty ssues. Complemented by contnuous communty engagement, the Adobe SPLC evolves to stay current as changes occur n technology, securty practces, and the threat landscape. Adobe Secure Product Lfecycle Adobe SPLC controls nclude, dependng on the specfc Adobe product or servce, some or all of the followng recommended best practces, processes, and tools: Securty tranng and certfcaton for development teams Product health, rsk, and threat landscape analyss Secure codng gudelnes, rules, and analyss Servce roadmaps, securty tools, and testng methods that gude the Adobe Dgtal Publshng Sute securty team to help address the Open Web Applcaton Securty Project (OWASP) Top 10 most crtcal web applcaton securty flaws and CWE/SANS Top 25 most dangerous software errors Securty archtecture revews and penetraton testng Source code revews to help elmnate known flaws that could lead to vulnerabltes User-generated content valdaton Statc and dynamc code analyss Applcaton and network scannng Full readness revews, response plans, and release of developer educaton materals Tranng & Certfcaton Abuse, Fraud & Incdent Responses COUNITY ENGAGEENT > COUNITY ENGAGEENT > Requrements & Plannng Operatons & ontorng Desgn Deployment Stagng & Stablzaton Development & Testng Adobe Secure Product Lfecycle (SPLC) Adobe Securty Tranng Whte Paper 2
ASSET Software Securty Certfcaton Program A key part of the Adobe SPLC, the ASSET Software Securty Certfcaton Program ncludes ongong securty tranng wthn development teams to enhance securty knowledge throughout the company and mprove the overall securty of our products and servces. The program provdes a foundaton for partcpants to understand securty fundamentals as well as a path for those ndvduals who want to become securty leaders. Snce ts ncepton n 2009, thousands of Adobe employees partcpate annually n the ASSET Software Securty Certfcaton Program, attanng one or more of the certfcaton levels descrbed n detal below. ore recently, the program formed the bass for the newly released ndustry software securty tranng program from SAFECode (the Software Assurance Forum for Excellence n Code), a global, non-proft organzaton focused on dentfyng and promotng best practces for developng and delverng more safe and relable software, hardware, and servces. ASSET Certfcaton Levels Whte Introduces basc securty concepts (e.g., securty n web-focused languages, such as Ruby on Rals and PhP) Green Bulds on basc securty topcs covered n the whte belt level Brown easures, recognzes, and rewards the development of securty components n Adobe product code (e.g., sandboxng) Black Recognzes the hghest level of hands-on securty expertse wthn Adobe development teams across the company ASSET Certfcaton Levels Dependng on ther specfc job functon and role, Adobe employees may choose from one of four (4) levels of certfcaton, also called belts. Each level or belt requres a specfc number of hours of tranng to acheve, agan based on job functon or role wth Adobe. Whle the lower levels of certfcaton only requre onlne tranng sessons n basc securty concepts, the hgher certfcaton levels nclude hands-on, experental projects that may drectly relate to or mpact the employee s job responsbltes. Currently, Whte Belt certfcatons are requred to be updated after eghteen months, unless an employee also earns a Green belt. ASSET Course Content The current ASSET Software Securty Certfcaton Program currculum ncludes more than 50 course offerngs, and Adobe contnually adds new materal to the currculum n a rollng-release format. Updates are made based on emergng securty concepts, new products or technologes, and employee feedback and recommendatons, thereby keepng program content fresh and current. Adobe notfes employees of new course content through onlne announcements, ensurng equal access and avalablty to mportant securty concepts and achevement of tranng levels. Adobe employees can choose dfferent tracks wthn each level of the program based on ther specfc job functon and requrements, wth tracks desgned for developers, qualty engneers, and managers. Each track also ncludes sub-tracks that enable employees to focus on the partcular products and technologes wth whch they work n ther role at Adobe. At the end of each tranng module, program partcpants fll out a survey, askng them to rate the content and propose suggestons for mprovement. ASSET Certfcaton Requrements Through the four-tered ASSET Software Securty Certfcaton Program, employees earn a colored belt for each level they attan: Whte Between two (2) and eght (8) hours of onlne tranng, dependng on employee role Green Between two (2) and eleven (11) hours of onlne tranng, dependng on employee role Brown Hundreds of hours of experental, hands-on tranng wth specfc securty projects Black Hundreds of hours of experental, hands-on tranng wth specfc securty projects Whte belt 2-8 hours of onlne tranng, dependng on employee role Green belt 2-11 hours of onlne tranng, dependng on employee role Brown belt Hundreds of hours of experental, hands-on tranng wth specfc securty projects Black belt Hundreds of hours of experental, hands-on tranng wth specfc securty projectss Adobe Software Securty Certfcaton Program Adobe Securty Tranng Whte Paper 3
Whte and Green Belts Adobe desgned the Whte Belt and Green Belt levels to provde basc securty tranng for employees who need to understand securty concepts for ther job. Employees attan one or both of these levels through computer-based tranngs (CBTs), whch nclude PowerPont presentaton decks wth voce-overs and anmated demos. Whle the CBTs vary n length, most of them are approxmately 30 mnutes long and nclude a quz at the end of the tranng module to ensure that the partcpant has dgested the content n the CBT. In general, achevng a Whte Belt takes between two and eght hours of screen tme, whle tranng for a Green Belt can be completed n approxmately two to 11 hours. Whte Belt Currculum The Whte Belt currculum s desgned to ensure that the employee has a core competency n securty concepts as well as possesses securty knowledge that apples drectly to hs or her job responsblty at Adobe. To meet ths goal, the Whte Belt currculum ncludes a core syllabus of basc securty concepts that affect every employee at Adobe, from polcy tranng (e.g., SPLC: Adobe Secure Product Lfecycle) to more techncal, yet platform- and language-agnostc securty tranng (e.g., Authentcaton 101: A Passwords Backgrounder for Everyone). From there, the partcpant can engage n specalzed tranng n technologes drectly related to hs or her job responsbltes. For example, f a developer codes n C/C++ on a Wndows platform, he or she can take Whte Belt-defned courses for developers for C/C++ on Wndows. Smlar courses exst for employees usng Java, PHP, and Ruby on Rals n ther day-to-day job responsbltes. Green Belt Currculum Pckng up where the Whte Belt currculum ends, the Green Belt currculum explores securty concepts n greater depth and ntroduces more complex securty topcs and case studes. Examples of some Green Belt courses nclude: Anatomy of an Attack, XSS 201, Injectons 201, and Web Archtecture, Same Orgn, and User-Generated Content. Brown and Black Belts The two hgher certfcaton levels, Brown Belt and Black Belt, requre completon of hundreds of hours of hands-on experence wth securty projects over a perod of several months or even a year. Some projects that employees can undertake n order to gan Brown Belt or Black Belt certfcaton nclude: Researchng and presentng a topc at a securty conference Implementng new testng strateges Researchng and developng new content for the ASSET Software Securty Certfcaton Programs Archtectng or re-archtectng products or components to enhance securty, (e.g. sandboxes) Creatng new vulnerablty detecton and response strateges Often, employees combne or undertake several projects to fulfll the Brown Belt and Black Belt certfcaton requrements. For each project he or she completes, the partcpant earns ponts toward the 1,000-pont requrement for Brown Belt status or the 3,000-pont requrement for Black Belt status. Ponts are determned by multplyng the number of hours a canddate worked on a project aganst the securty expertse modfer, a number that reflects 1) the dffculty of the task and 2) the mpact of the project on securty at Adobe. Ths number ranges from.03 to 3.0. Upon completon of a securty project, the canddate submts a report to the securty tranng commttee, whch then determnes the approprate ponts for the project. When an employee accumulates enough ponts to reach Brown Belt or Black Belt status, the securty tranng team sends a congratulatory emal not only to the canddate, but also to the Adobe securty communty as well as the canddate s manager. Employees attanng Brown and Black Belts become canddates for the embedded securty champon wthn ther development teams and are a crtcal part of the mplementaton of the Adobe SPLC process throughout the company. Securty champons assst the centralzed ASSET team n scalng securty efforts across the company, dssemnatng crtcal securty nformaton to and ensurng the completon of securty tasks wthn ther product or servce teams. These securty champons also partcpate n perodc securty boot camps and ndustry events and conferences to further enhance ther securty knowledge. Adobe Securty Tranng Whte Paper 4
Trackng Certfcaton Progress Partcpants and ther managers are encouraged to set goals for reachng a specfc certfcaton by a specfc date. otvated partcpants make achevement of the next level of certfcaton a part of ther annual performance objectves and can gan ncreased vsblty and recognton when they acheve those levels. Usng an nternal web tool that nterfaces wth Adobe Connect, employees can check ther own progress through a partcular certfcaton level and managers can follow up wth team members about ther certfcaton status. Per-product certfcaton status rolls up to an overall securty health dashboard, whch s revewed monthly at Adobe Senor Operatons Staff meetngs. Stacey Smth Chef Securty Offcer smth@abccompany.com BELT BLACK COUNTRY US STATE CALIFORNIA 30 25 20 15 16 10 5 6 7 4 0 Whte Belts Green Belts Brown Belts Black Belts Whte Belts (6) Green Belts (16) Brown Belts (7) Black Belts (4) al Tranng Remnder Rchard Page Gunter Haas Aaron Katz Rachel Tsao Davd Capella chel Powers Kate Cole Donna Tesam Joydeep Bava Baley Stewart Amr Rao Santosh Kumar Tom Russell Juan Daz Rchard Gordon Atul Gaval Emerson Graham Ebony Wllams Carole ller Dana Powers Cheryl Sten Allan Foster olly Rvers Pat Waters ara Lus Chrs Hansen Adobe Securty Certfcaton Program Status Tool The screen shot above shows current certfcaton progress for an organzaton s securty team. The yellow buttons allow the manager to automatcally send a remnder emal to anyone wthn the organzaton that has not completed hs or her certfcaton by the pre-defned date. Clckng on the yellow button opens the managers emal clent and populates a message wth the approprate content for the person he has selected to remnd. Securty Awareness Tranng In addton to the ASSET Software Securty Certfcaton Program, all full-tme, regular Adobe employees are requred to complete annual securty awareness tranng, whch ncludes nformaton about safe handlng of confdental nformaton, safeguardng devces, usng password protectons effectvely, and recognzng and avodng socal engneerng. Securty Awareness tranng s refreshed annually. Employees also regularly partcpate n nternal securty awareness semnars and other actvtes to ncrease awareness of how securty affects ther specfc roles wthn the organzaton and the company as a whole. Adobe regularly holds semnars featurng speakers who share the latest research n the feld. Employees gan exposure to top securty professonals, researchers, and academcs through these semnars and perodcal securty summts, mprovng ther overall securty knowledge. In addton, the company s nternal b-annual event held n San Jose, Calforna, called Tech Summt, ncludes a specfc track for securty, enablng Adobe developers and qualty control engneers to share nformaton wth each other. Adobe Securty Tranng Whte Paper 5
Adobe employees are also encouraged to take full advantage of the wealth of securty resources avalable outsde the company. Adobe employees attend local, regonal and nternatonal securty meet-ups and conferences and take courses n cyber-securty at nearby unverstes. any development teams also send team members to ndustry conferences, such as Black Hat, Hack n the Box, and OWASP (Open Web Applcaton Securty Project) AppSec. In addton, Adobe holds global, hands-on cyber-awareness events for employees such as HackFests, whch help partcpants gan a better understandng of how hackers explot vulnerabltes as well as how these explots are not as dffcult as they may seem. Durng Hackfests, employees gan access to a dummy server that s open to a specfc class of vulnerablty, such as SQL Injecton or XSS. Employees attempt to hack the server and leave ther name n a fle on the server as proof of the hack. Each employee who successfully hacks the server s elgble for a prze drawng. Typcally, between 400 and 500 employees successfully hack the dummy server durng a HackFest. After partcpatng n a HackFest, many partcpants comment that they have a greater apprecaton for securty n general and for the mportance of securty best practces n partcular. Concluson The proactve approach to securty tranng descrbed n ths paper helps ncrease the securty IQ of Adobe employees, whch ultmately helps mprove the securty of your Adobe products and servces, as well as your data. We recognze that the securty landscape s not statc, whch s why we contnually update and enhance our securty tranng to meet the growng number of securty challenges, helpng to keep your Adobe dgtal experence safe and secure. For more nformaton, please vst: http://www/adobe.com/securty. Adobe Securty Tranng Whte Paper 6
Adobe Securty Tranng Whte Paper 7
Informaton n ths document s subject to change wthout notce. For more nformaton on Adobe solutons and controls, please contact your Adobe sales representatve. Further detals on the Adobe soluton, ncludng SLAs, change approval processes, access control procedures, and dsaster recovery processes are avalable. Adobe Systems Incorporated 345 Park Avenue San Jose, CA 95110-2704 USA www.adobe.com Adobe Systems Incorporated 345 Park Avenue San Jose, CA 95110-2704 USA www.adobe.com Adobe and, the Adobe logo, are ether regstered trademarks or trademarks of Adobe Systems Incorporated n the Unted States and/or other countres. All other trademarks are the property of ther respectve owners. 2014 Adobe Systems Incorporated. All rghts reserved. Prnted n the USA. 9/2014