| Software security
is a critical task at Macromedia, and communicating to you about
security is one of the most important factors in keeping your
site safe. Ironically, even mentioning security publicly is a
challenge, as many hackers see it as an invitation to find new
vulnerabilities.
Even so, I'd like to tell you about what we do to prevent
security issues at Macromedia, what you can do to help, and how
we'd like to improve the process.
What We Do To Prevent Issues
Before Macromedia ships a product, we run numerous security test
plans based on examining the code and previously known exploits.
We hire commercial security auditors, such as @Stake, to examine
our code for possible vulnerabilities. We use independent
contractors
and academic contacts, who run specialized penetration tests.
This testing program finds many issues prior to product shipment.
But while we strive to improve the program, we can still miss
issues. Often, our tenacious user community identifies these
issues.
In the past year, Macromedia released more than 15 security patches,
bulletins, and notifications, and I want to thank those people
who found and reported security issues to us. People like Amit
Klein of Sanctum,
Peter Grundl of KPMG,
Jochem
van Dieten, Jelmer,
eEye Digital
Security, and Royans Tharakan of Ingenuity
creatively found what we did not, and were responsible with the
information—they contacted
us.
When we receive this information, we assign a product-specific
Security Response Team (SRT) to track the issue. These teams consist
of engineering, quality assurance, technical support, and product
management members; they rapidly assess the issue and resolve
it with the researchers who uncovered the issue. The SRT also
coordinates communication between required participants, even
when they may be in different groups with different functions
or in different companies. In one recent case for web services
(Macromedia is a major contributor to design and implementation
of the Apache
Axis project, the open source web services standard), we were
pleased to coordinate and resolve an issue by communicating across
six other enterprise companies.
In addition to the community efforts, the Security Response Teams
also monitor vulnerability lists (such as Bugtraq,
VulnWatch,
and CERT),
test vulnerabilities identified in other software against ours,
and take appropriate action.
What You Can Do for Security
One of the most important ways to stay secure is to stay informed.
Hackers continually try new approaches, discover new vulnerabilities,
and attempt different exploits. As we find out about potential
vulnerabilities, we try to respond quickly. But we need
to
know how to notify you. The best and easiest way to stay current
is to sign up for our Security
Notification Service. Applying security fixes may mean
installing a software update, modifying your system configuration,
or changing
how you code your web application.
This brings us to another way you can help—which may sound
obvious, but can be sometimes difficult in practice: Code your
applications so that they use available security mechanisms.
The reason this is tricky is that these systems are usually
more complex
than people realize. When you write a web-based application,
you rely not only on Macromedia products, but also the server
operating
system, the database, the application server, the web server,
any drivers/connectors/middleware, and any firewalls. In addition,
end users also have their browser, plug-ins, and operating system.
With this kind of complexity, it's easy to overlook something.
If you want a secure site, designate someone to stay aware and
implement security patches for all applications and software
on
your site. Make it one person's job. Macromedia can keep
your designee informed, but if you fail to make someone responsible
for applying security information, you're at risk.
Looking Forward
We continue to review and improve our practices. This year, we
plan to add staff in cross-product security and security programs.
We will increase the amount of training engineers receive regarding
best-practice coding and security code reviews. We are also interviewing
additional security companies to increase the breadth of testing
for our products.
Moving forward, we will use DevNet as a central location to converse
with the developer community about security: what we are doing,
what precautions you should be aware of—in short, how to
proactively work together to protect one another. If you have
ideas on how we can improve, or feel we're missing something
from our DevNet Security Center,
please contact us at secure@macromedia.com.
|
