The flak Adobe caught in February, when it , admitted the bug was being used by hackers, but then took weeks to patch the problem, is what prompted Adobe to review its security practices, acknowledged Brad Arkin, Adobe's director for product security and privacy.
"At first, this was just another of our normal security incidents," said Arkin. "But it ended up expanding to [make] changes in our security practices with Reader and Acrobat."
The project, which kicked off in February, has three parts, said Arkin, starting with a look at the legacy code in Reader and Acrobat that he characterized as "at-risk areas."
Currently, Adobe develops new code under what it calls its Secure Product Lifecycle (SPCL), an approach similar to Microsoft's much-better-known Software Development Lifecycle (SDL), which involves several security-specific steps that programmers go through to make their software less liable to harbor bugs. From now on, said Arkin, Adobe will apply the SPCL methodology to some older sections of Reader and Acrobat, too.
"We're going to broadly look at the whole application, but focus on at-risk areas, where we'll do threat modeling, static code analysis and look for potential vulnerabilities," said Arkin, who refused to call that change a full-blown "code review," like the one Microsoft spent millions on to root out bugs in Windows XP.