Adobe #1 in... Security Vulnerabilities

Once again, linking back to Daniel Miessler’s podcast. He was talking about how Adobe always seems to be on top of the list for security vulnerabilities. In this podcast he was talking about some recent improper access control vulnerability in the Adobe Reader software. Miessler was trying to determine why Adobe was always at the top of the vulnerability chain while much larger software companies can seem to get a hold on their vulnerabilities.

My Thoughts

I’ve never been a fan of Adobe. For whatever reason they can shart out software and still be one of the biggest market leaders. It doesn’t make sense to me. Nonetheless they have quite a following and when someone says “PDF” it is almost synonymous to Adobe, even though they have more holes, bugs and vulnerabilities than a piece of mouse gnawed Swiss cheese. For me my long history has always been a blood boiling, pulse raising experience, but I digress.

This all leads up to security. Even though security isn’t really part of the answer. Specifically I want to focus on their Adobe Reader program, as that is one of their widest used product that needs to be secure because of the data the reader has access.

Corporate Structure

Lets start with the top. Security has to come from the top down. First you have to have a CEO that is interested in creating products that are secure. Then you have to have management that echoes that in the way they tell their product managers to create their software. Coming to the table with “is it secure” from the ground up will create a culture where developers are interested and wanting to make a product secure. Once the developers are primed to create a secure product, it will come second nature to them to create something they know will be secure. Look at Apple. They are quite capable of making a product that is secure. That is in their core structure.

Market Share

Part of their corporate structure/strategy (and frankly any corporate structure) is to hold as much market share as possible. They do this quite well. When you are on top by that much, economics come into play and really, you don’t need to do much unless you see a competitor gain enough market share that they might be able to take that spot from you. So, what do you do? You create enough products with a name that people recognize, just barely good enough to make sure you have all your surfaces covered and then keep the rest of the money as profit. Adobe doesn’t have to focus on user experience, or security, because that money would be better spent in support, and keeping name recognition in the digital software space. They can also charge as much as they want because you as the consumer are willing to pay because if you can’t must use the industry standard otherwise it’ll be hard to share and collaborate.

Innovation

This is easily seen by the way they innovate their products. There’s about as much innovation in their products as a leaky faucet. The interface and design structure has stayed practically the same for the last 20 years with little improvement in quality, security or innovation. I get it though, if it ain’t broke, don’t fix it. You also don’t want to change a product too much because then people don’t want to change their tools, and their massive workflows if they don’t have to because that costs time and money. But at the same time, these are critical, foundational things that if another product did better, faster or easier, I guarantee you would be having people jump ship really quickly.

Standardization

Adobe made the standard so they have to keep the guise up and support the product they made, even if they don’t want to anymore. As usual, when they started, there were quite a few other standards were trying to take hold, theirs just happened to be the one that succeeded.

Reader Portfolio Removal

This one is a bit of a stretch, but usually when you price a product as high as they do (almost $15/mo/user) when almost all you competition can make very good products on half that, I have a feeling they are either using their name to garner as much money as possible, or they really want to stop as many people from using the product as possible so they no longer have to support such a large user base. It could also be that they want a user to see the value add by purchasing the entire Creative Cloud suite for a little over triple the price. Might sound like a lot, but even if you needed two products, like the Adobe Acrobat DC and Lightroom, why not just bundle and get them all for a little bit more. To be honest though, I wonder how Microsoft can offer almost triple the products for a quarter of the price. Like seriously, Adobe Creative Cloud for almost $60/mo/ user while Microsoft Office, a comparably capable type of suite for $10/mo for 5 users. I digress again.

Conclusion

Well the TL:DR again, since this was longer than I expected.

1. Adobe general structure doesn’t lead itself to secure product development as does many other developers, even with the price they garner.

2. They created the standard for PDF so they have to support it.

3. They want to remove the reader from their Portfolio (a stretch, I know).

Overall I think Adobe is like any other large software developer. Just use economics and your market share to deem how well you make your product. I just can’t wait for another company to swoop in and start gnawing away at the Swiss cheese they’ve left behind.