Executive Summary
Macromedia uses industry leading security engineering practices and processes in building its products. That work is manifest in products that are trusted throughout the world to provide rich experiences while building and operating secure web applications. This document provides an overview of the security engineering practices at Macromedia.
Experience Matters
Macromedia has been a leading developer of server and client software for over 10 years. During that time, our products have undergone intense scrutiny from all types of security experts – both within and outside of Macromedia. These products, and our engineering processes, have withstood the most difficult security test: the real-world test of time.
Macromedia Flash Player is the most widely distributed piece of software in the world. ColdFusion was the first server platform for dynamic HTML applications. Throughout the world, Dreamweaver is the most widely used tool for building the websites. It is undeniable that these and other Macromedia products provide some of the most attractive targets for people who hack, attack, disrupt, or otherwise attempt to circumvent the security of web applications. Nevertheless, Macromedia has maintained a strong, consistent record of providing trusted products.
Macromedia’s software is used by governments, financial institutions, and other security conscious organizations to provide their customers with the richest possible user experience in business applications.
Our Philosophy
When it comes to security, Macromedia is practical and grounded by our own experience, and that of our industry peers. We apply industry best practices when making decisions about security – this includes techniques used in engineering and QA, as well as the way that we’ve implemented our organization and our processes. Where appropriate government and industry standards exist, we use them to inform our decision.
Although Macromedia believes that security is a shared responsibility between ourselves and our users, we know that we must carry the greater part of that responsibility. We work hard on security, so that our users can focus on providing rich, user-friendly experiences.
Our Internal Team
Macromedia has a team dedicated solely to ensuring the security of those who use our products. The team has industry leading experience and training in building secure applications. This team is a core service provided to all of our product teams, and it is independent of any specific business or product line.
Why do we have this team? Because we’ve found that having an independent team provides security with the prominence that it needs in software development. Security issues are often less visible and less easily understood than user interface changes, or other elements that affect normal operation of the product. Many development organizations are therefore tempted to “defer” security fixes because they think that no one will notice. At Macromedia, we have a team of security experts who make sure that people notice and potential problems are eliminated before they get to customers.
You can contact our internal team directly about potential security issues by sending mail to secure@macromedia.com
Development Checks and Balances
Making sure that Macromedia products exceed customer expectations for security requires the efforts of a variety of different people and teams. We use a system of overlapping checks throughout the development process to ensure our security obligations are being met at every stage.
To start with, each product team is dedicated to providing customers with a secure product. Macromedia’s engineers consider potential threats when designing and implementing products. Quality Assurance (QA) uses those threats to test the products for security flaws. The product teams always have access to an expert on the Product Security Team, and they also participate in periodic secure development training to make sure that their skills stay sharp.
Each product has a dedicated contact on the product security team. That contact person provides ongoing support to engineering and QA for purposes of security. They provide feedback to the product team at a number of well-defined checkpoints in our development process:
- Threat modeling is performed at the feature and product architecture level
- Security spec reviews are conducted for features
- Security reviews are conducted for test-plans
- A product security review is conducted as the product nears release
In addition, the product security team or product team regularly recommends external product security reviews to extend and verify the effectiveness of our internal work on security.
It is common for Macromedia to have both third-party security consultants and internal security team members providing guidance on security features throughout the entire development lifecycle – from early architecture conversations to the final security review before a product is shipped.
Incident Response Process
Occasionally a product ships with a bug that may expose our users to undesirable security risk. To help identify those situations and provide 3rd-parties with an easy way to communicate their concern, the product security team provides a number of mechanisms for alerting us about potential security issues. The Macromedia website is the most common source for communicating about post-release security events. It provides a web form that is monitored by the Product Security Team and can be used to tell us directly about an issue. We may also become aware of vulnerabilities through our customer support, technical support, sales organizations, or through industry contacts.
When Macromedia becomes aware of a potential security issue, we are quick to respond. The Product Security Team coordinates with representatives from the product engineering team to identify an appropriate remediation, which often includes a patch or simple work around. We tightly control information about the issue until we are able to notify all potential stakeholders simultaneously.
Once a remediation is available, we then notify our customers, users, and anyone else who wants to know about the potential security vulnerability. A history of all recent security patches is available on the Macromedia website.
Communication
We are constantly trying to improve our communication about security and make sure that it meets the needs of our customers. More information about security and Macromedia’s products is available on our website, at http://www.macromedia.com/security.
