[VOIPSEC] Securing Softphones..........???
Ari Takanen
art at codenomicon.com
Mon Apr 18 22:52:44 CDT 2005
Hello all,
On Mon, Apr 18, 2005 at 10:43:38AM -0800, Randall Shimizu wrote:
> I was wondering if anyone has any recommendation for securing
> softphones....??? I know that NIST has recomenned against using
> them.
Sorry, can't avoid commenting on this topic again.
Softphone is just like any communication application on your PC:
1) See that the vendor knows about security programming practices in
general, i.e. they know what a buffer overlow is.
2) See that they have at least minimal proactive security practices
including robustness testing and code auditing tools, or that they
are using more secure programming technologies such as Java or
Symbian.
3) See that they have a programme and support for reporting security
problems. Ask what channel security vulnerabilities are reported
through, how much experience they have on those, and what is the
repairing process and disclosure process.
4) Plan for rapid update process and patch deployment process of all
softphones you are using. Try it out.
5) Secure also all applications that the softphone can launch, or
disable that functionality.
6) If necessary, make sure that the user cannot change the settings.
Good luck!
/Ari
--
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen Codenomicon Ltd.
ari.takanen at codenomicon.com Kaitovayla 1
tel: +358-40 50 67678 FIN-90570 Oulu
http://www.codenomicon.com Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
More information about the Voipsec
mailing list