Adobe has an established footprint on Amazon Web Services (AWS). It started in 2008 with Managed Services, and expanded greatly with the launch of Creative Cloud in 2012 and the migration of Business Catalyst to AWS in 2013. In this time, we found challenges in keeping…
The Common Control Framework (CCF) by Adobe is the cornerstone of our company-wide compliance strategy. It is a comprehensive set of simple control requirements, rationalized from the alphabet soup of several different industry information security and privacy standards. The CCF…
Secrets are valuable information targeted by attackers to get access to your system and data. Secrets can be encryption keys, passwords, private keys, AWS secrets, Oauth tokens, JWT tokens, Slack tokens, API secrets, and so on. Unfortunately, secrets are sometimes…
Finding a balance between a pleasant user experience and stringent security requirements can be a challenge. User authentication has become increasingly complex over the years, blending usernames and passwords with second factor authentication, like One Time Passwords (OTP). In many…
Adobe recently held a Security Champions Summit in Bucharest. This was a multi-day event with the goal of building up the skills of our current security champions and encouraging new ones to join the program. Part of the efforts during the…
Transport Layer Security (TLS) is the foundation of security on the internet. As our team evolved from primarily consultative role to solve problems for the entire company, we chose TLS as one of the areas to improve. The goal of this blog…
By now, most of us know that the email from the Nigerian prince offering us large sums of money in return for our help to get the money out of Nigeria is a scam. We also recognize that the same…
A few weeks ago, I traveled to the OWASP Summit located just outside of London. The OWASP Summit is not a conference. It is a remote offsite event for OWASP leaders and the community to brain storm on how to…
When you receive a notification from your computer that it’s time to update your software, do you immediately accept it or do you delay your software update because you’re in the middle of something? If you’re like 64 percent of…
Modern browsers support quite a few HTTP headers that provide an additional layer in any defense-in-depth strategy. If present in an HTTP response, these headers enable compatible browsers to enforce certain security properties. In early 2016, we undertook an Adobe-wide project…