Speaking at Kaspersky Lab's Security Analyst Summit last week, Brad Arkin, director of product security and privacy at Adobe, suggested that security researchers should focus less on finding vulnerabilities and defects in software. As reported on eWeek, Arkin said that researchers should work instead on thinking of how to make it too expensive to target those applications.

The issue pertains to hackers who rely heavily on proof-of-concept work done by bona fide researchers to use against real-world targets. Using a recently patched zero-day vulnerability in Adobe Reader as an example, Arkin noted that attackers made use of three-year-old proof-of-concept code as a shortcut in an attack that was conducted on fewer than 20 machines.

Arkin says, "If you publish a paper about a new technique, a previously hard technique becomes easy." Alluding to the difficulty of actually writing novel exploit code, Arkin pointed out that only about two-dozen vulnerabilities identified in the company's products were actually matched with exploit code. Finally, Arkin pointed to the correlation between an exploit being added to the popular Metasploit penetration-testing suite and the skyrocketing number of attacks targeting that vulnerability.

Given the number of high profile vulnerabilities spread across highly popular software applications such as Adobe Reader and Flash, it may appear self-serving of Arkin to ask security researchers not to focus on software weaknesses. Yet what he says is certainly not illogical; there is no doubt in my mind that many hackers are really script kiddies who do not have the ability (or time) to write the advanced code necessary to pull off new zero-day attacks.

The situation is unlikely to change in the short-term however, and while Adobe has been working hard over the last couple of years to address the many security flaws in its products, the current state of affairs does mean that a proof-of-concept remains the call to action to fix a bug for most other software firms.

For more:
- check out this article at eWeek

Related Articles:
After Adobe Flash shock, business as usual for tablet makers
Adobe rushes patch for serious Flash vulnerability