The Adobe Secure Product Lifecycle (SPLC)
Integrated into several stages of the product lifecycle—from design and development to quality assurance, testing, and deployment— the Adobe Secure Product Lifecycle (SPLC) is the foundation of security at Adobe. A rigorous set of several hundred specific security activities spanning software development practices, processes, and tools, the Adobe SPLC defines clear, repeatable processes to help our development teams build security into our products and services and continuously evolves to incorporate the latest industry best practices. Adobe security researchers provide full SPLC guidance for our products and services based on an assessment of potential security issues. Complemented by continuous community engagement, the Adobe SPLC evolves to stay current as changes occur in technology, security practices, and the threat landscape.
The Adobe SPLC is organized into four key areas reflecting the full design, development, deployment, and ongoing operational lifecycle of Adobe products and services. SPLC controls include service roadmaps, security tools, and testing methods that guide the security team to help address the Open Web Application Security Project (OWASP) Top 10 most critical application security flaws and CWE/SANS Top 25 most dangerous software errors.
Training and Certification
- Incident Response
- Threat Intelligence
- Logging
- Monitoring
- Abuse and Fraud Prevention
- Security Requirement Gathering
- Security Risk Assessment
- Security Architecture Review
- Security Threat Modeling
- Static and Dynamic Analysis
- Secure Code Review
- Secure Configuration
- Operational Security Controls
- External and Internal Penetration Testing
- Security Scanning
- Auto-remediation
Secure Design
Adobe’s “secure-by-design” methodology helps ensure that security requirements are defined as early as possible in the application development process. Our security and development teams adopt a “shift-left” approach to secure design that emphasizes early course correction to help bake in security controls and reduce the potential cost of changes introduced later. More information is available in our Application Security Overview white paper.
Secure Development
During the development cycle, Adobe uses automated tooling to help ensure applications meet our defined security policies and controls. This helps ensure security throughout the entire software development lifecycle. It also enables product security to better scale across the company and provide continuous security coverage to keep up with the rapid pace of innovation. More information is available in our Application Security Overview white paper.
Secure Operations
With a cloud footprint that includes public and private clouds across different providers, our strategy requires consistent and repeatable operational security guardrails that are readily available to our product and service teams. In addition, our Adobe Cyber Defense Center and Product Security Incident Response (PSIRT) teams help monitor and manage ongoing security threats and develop and maintain robust threat intelligence programs. They also help ensure any reported incidents with our solutions are resolved per defined policies and standards. More information can be found in our Operational Security Overview white paper and Incident Response Overview white paper.
Ongoing Training & Certification
Adobe has created a culture of security that touches virtually every corner of the company, beginning with regular security awareness training and activities for all employees. Engineering and operations employees receive additional job- and/or function-specific security training and certification, helping them be informed, adaptable, and responsive to whatever risks may arise. Adobe also looks for opportunities to collaborate with other companies on best practices and strategies for defining and achieving a strong security culture.