[VOIPSEC] Securing Softphones..........???
art at codenomicon.com
Tue Apr 19 04:52:44 BST 2005
On Mon, Apr 18, 2005 at 10:43:38AM -0800, Randall Shimizu wrote:
> I was wondering if anyone has any recommendation for securing
> softphones....??? I know that NIST has recomenned against using
Sorry, can't avoid commenting on this topic again.
Softphone is just like any communication application on your PC:
1) See that the vendor knows about security programming practices in
general, i.e. they know what a buffer overlow is.
2) See that they have at least minimal proactive security practices
including robustness testing and code auditing tools, or that they
are using more secure programming technologies such as Java or
3) See that they have a programme and support for reporting security
problems. Ask what channel security vulnerabilities are reported
through, how much experience they have on those, and what is the
repairing process and disclosure process.
4) Plan for rapid update process and patch deployment process of all
softphones you are using. Try it out.
5) Secure also all applications that the softphone can launch, or
disable that functionality.
6) If necessary, make sure that the user cannot change the settings.
Ari Takanen Codenomicon Ltd.
ari.takanen at codenomicon.com Kaitovayla 1
tel: +358-40 50 67678 FIN-90570 Oulu
More information about the Voipsec